Specifications
Cisco Systems, Inc.
All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 12 of 42
5.2 Certificate Requirements
This section discusses the certificate requirements on both the client and the AAA server sides.
5.2.1 Client Certificate Requirements
For a client (using Windows XP professional, for example) to authenticate using EAP-TLS, the client must obtain a
personal client certificate. This certificate must meet several requirements:
Figure 5-1
Client Certificate and the Enhanced Key Usage Field
• The certificate has to be installed when the requested user is logged in to the machine. A personal certificate that
will be installed when a different user is logged in will not be accessible by the requested user.
• The certificate has to be X.509 Version 3 (as shown in Figure 5-1).
• The certificate must have the Enhanced Key Usage (EKU) field. For the client certificate, the EKU field must
contain the Client Authentication certificate purpose (OID “1.3.6.1.5.5.7.3.2” as shown in Figure 5-1).
• The subject name in the certificate must correspond to the user account name (either a username or the user ID
of the account). This account name has to exist in one of the databases that support EAP-TLS. If, for example,
the user account name is “TME USER5” (first name=TME, last name= USER5), the cn part of subject name in
the certificate has to be “TME USER5” (as shown in Figure 5-2). Alternatively, as an example, if the account
name is “eaptls1” (user ID is used instead of the username), the cn part of the subject name in the certificate has
to be “eaptls1” (as shown in Figure 5-3). The @domainName.xxx part, if it exists, is not used in comparison.