Specifications
Cisco Systems, Inc.
All contents are Copyright © 1992–2002 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 19 of 42
6.1 System Components
Following are descriptions and prerequisites for the Validation Lab components:
• Cisco Aironet access point—Minimum access point firmware of 11.06 for 802.1x Draft 10, recommended
11.10T or the latest version.
• Cisco Secure ACS v3.0—Cisco Secure ACS provides the AAA server functionality in a wireless/wired LAN
network; Version 3.0 provides support for LEAP, EAP-TLS, and EAP MD5 authentication (802.1x) protocols.
• Microsoft XP Professional Client—Provides support for standards-based 802.1x authentication protocols such
as EAP-TLS and EAP MD5.
• Microsoft 2000 Client—An Example LEAP client in an enterprise WLAN network.
• Microsoft certification authority server—Microsoft Windows 2000 Server running Microsoft Certification
Authority Services; this is a private root certification authority server. Using a private root certification authority
is preferred for enterprise PKI certificate distribution and management.
• Microsoft 2000 Server—Providing Active Directory Services for user management, DHCP, and DNS services (if
preferred, DHCP and DNS services could run on individual servers).
6.2 ACS Configuration
Thissection discusses the steps required to configure the ACS v3.0 for EAP-TLS. (For information about generic ACS
configuration details, refer also to ACS documentation.)
Configuring ACS for EAP-TLS requires three stages:
• Obtaining a ACS certificate
• Configuring ACS “System Configuration” parameters to enable EAP-TLS
• Configuring the appropriate network-access-server type for the access point in Network Configuration
6.2.1 Obtaining the Server-Side Certificate
As discussed in Section 4, the ACS server must obtain a server certificate from the enterprise root certification
authorityserverto authenticate a WLANEAP-TLSclient.Obtaining a servercertificateandinstalling it ontotheACS
may be accomplished in one of these ways:
• Obtain a certificate file and private key file in any way you like and install it on the ACS (certificate file has to be
base-64 encoded)
• Have a certificate in storage (local machine store) including private key and specify the name
IntheValidation Lab, thesecondmethodwasused.AWeb browser on the ACS wasusedtoobtainaservercertificate
from the private Microsoft root certification authority server. The obtained server certificate was installed onto the
local machine store of the ACS.