Cisco 2509 - Router - EN User Manual page 345

Chapter 8 Establishing Cisco Secure ACS System Configuration
You trust the passport because you trust the preparation and identity checking that
the particular country's passport office made when creating that passport. You
trust digital certificates by installing the root certificate CA signature.
If Cisco Secure ACS receives traffic from a wireless AP that has the wrong shared
secret, the error message logged in to the failed attempts log reads "EAP request
has invalid signature." Three conditions that might cause this to occur are the
following:
•
•
•
After EAP-TLS authentication successfully concludes, Cisco Secure ACS must
verify that the claimed identity (presented in the EAP Identity response)
corresponds to the certificate presented by the user. Cisco Secure ACS can
accomplish this verification in two ways:
•
•
When you set up EAP-TLS, you can select the criterion (one or both) that
Cisco Secure ACS uses. For more information, see
Options, page
78-14696-01, Version 3.1
The wrong signature is being used
A RADIUS packet was corrupted in transit
Cisco Secure ACS is being attacked
Certificate Name Comparison—Based on the name in the certificate.
Certificate Binary Comparison—Between the user certificate stored in the
user object in the LDAP server or Active Directory and the certificate
presented by the user during EAP-TLS authentication.
If you use certificate binary comparison, the user certificate must be
Note
stored in Active Directory or an LDAP server, using a binary format.
Also, the attribute storing the certificate must be named
"usercertificate".
8-81.
User Guide for Cisco Secure ACS for Windows Server
Cisco Secure ACS Certificate Setup
Configuring Authentication
8-71