Cisco Systems CSACS3415K9 Manual De Usuario
8-76
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 8 Managing Users and Identity Stores
Configuring Certificate Authentication Profiles
When ACS processes a certificate-based request for authentication, one of two things happens: the
username from the certificate is compared to the username in ACS that is processing the request, or ACS
uses the information that is defined in the selected LDAP or AD identity store to validate the certificate
information.
username from the certificate is compared to the username in ACS that is processing the request, or ACS
uses the information that is defined in the selected LDAP or AD identity store to validate the certificate
information.
You can duplicate a certificate authentication profile to create a new profile that is the same, or similar
to, an existing certificate authentication profile. After duplication is complete, you access each profile
(original and duplicated) separately, to edit or delete them.
to, an existing certificate authentication profile. After duplication is complete, you access each profile
(original and duplicated) separately, to edit or delete them.
ACS 5.4 now supports certificate name constraint extension. It accepts the client certificates whose
issuers contain the name constraint extension. It checks the client certificates for CA and sub-CA
certificates. This extension defines a name space for all subject names in the subsequent certificates in
a certificate path. It applies to both the subject distinguished name and the subject alternative name.
These restrictions are applicable only when the specified name form is present in the client certificate.
The ACS authentication fails if the client certificate is excluded or not permitted by the namespace.
issuers contain the name constraint extension. It checks the client certificates for CA and sub-CA
certificates. This extension defines a name space for all subject names in the subsequent certificates in
a certificate path. It applies to both the subject distinguished name and the subject alternative name.
These restrictions are applicable only when the specified name form is present in the client certificate.
The ACS authentication fails if the client certificate is excluded or not permitted by the namespace.
Supported Name Constraints:
•
Directory name
•
DNS
•
Email
•
URL
Unsupported Name Constraints:
•
IP address
•
Other name
To create, duplicate, or edit a certificate authentication profile, complete the following steps:
Step 1
Select Users and Identity Stores > Certificate Authentication Profile.
The Certificate Authentication Profile page appears.
Step 2
Do one of the following:
•
Click Create.
•
Check the check box next to the certificate authentication profile that you want to duplicate, then
click Duplicate.
click Duplicate.
•
Click the certificate authentication profile that you want to modify, or check the check box next to
the name and click Edit.
the name and click Edit.
The Certificate Authentication Profile Properties page appears.
Step 3
Complete the fields in the Certificate Authentication Profile Properties page as described in
Table 8-24
Certificate Authentication Profile Properties Page
Option
Description
General
Name
Enter the name of the certificate authentication profile.
Description
Enter a description of the certificate authentication profile.
Certificate Definition