Specifications

Cisco Systems, Inc.

Page 23 of 42

6.2.2 System Conﬁguration Parameters on ACS

After obtaining the ACS server certiﬁcate from the enterprise root certiﬁcation authority server, the following steps

were used to conﬁgure the ACS for EAP-TLS (and LEAP) authentication:

1. On the ACS menu, choose System Conﬁguration >> ACS Certiﬁcate Setup.

2. Under ACS Certiﬁcate Setup, choose “Use existing certiﬁcate” and then the “Specify certiﬁcate from storage”

option. Specify the name of the ACS certiﬁcate obtained from the certiﬁcation authority server (in our example,

“ACS-TMELAB” was speciﬁed in Section 6.2.1). Click Submit.

3. On the ACS menu, choose System Conﬁguration >> “Certiﬁcation Authority Setup.” Click “Edit certiﬁcate trust

list” and select the name(s) of the certiﬁcation authority server(s) that were used to issue certiﬁcates to the ACS

device(s) and EAP-TLS clients.

Note:

The certiﬁcate trust list (CTL) has to be used when the root certiﬁcation authority (ex: Root_CA_A) that

issued the ACS certiﬁcate and the rootcertiﬁcation authority that issuedthe client(s) certiﬁcate (Root_CA_B) are not

the same. In this scenario, Root_CA_B has to be added to the ACS trust list. To do this, add the certiﬁcate of

Root_CA_B to the ACS CTL. By default, ACS trusts certiﬁcates that were issued from the same root certiﬁcation

authority that issues its certiﬁcate. In our example (in the Validation Lab), we used the same root certiﬁcation

authority to obtain the ACS and client certiﬁcates; thus, the ACS will automatically trust the client certiﬁcates and

you do not need to edit the CTL.

4. Choose the ACS menu and choose System Conﬁguration >> Global Authentication Setup. Select the “Allow

EAP-TLS ...” option and click the “Submit+Restart” button.

The following ﬁgures illustrate the above steps needed to conﬁgure the ACS for EAP-TLS:

Figure 6-6 shows the System Conﬁguration menu options for EAP-TLS setup on the ACS.