ACS Server certificate export
Hello,
We are in the process of renewing a certificate for our ACS server (v3.2). Is there a way to export the certificate currently in use?
We don't want to lose it if we install a certificate that does not work. We are also exploring using a self-signed certificate, but we're not sure if that will meet our needs.
Thanks!
Thanks for the info...unfortunately, we tried doing the self-signed certificate, but clients couldn't connect to our wireless network (we use that to authenticate wireless users). We then tried to do a restore from a backup taken earlier this morning and it's still trying to restore - as if something is hung and won't shut down.
This is ACS 3.2 running on a Windows 2003 server.
Similar Messages
-
Not able to install or generate acs server certificate
Hi,
I have one test set-up with one layer 3 switch and one autonomous AP 1131. I have configured one SSID and without any authentication and it was not able to connect successfully.
But now i want to try enable WPA2 enterprise ( Actually , after checking with the test set up , i am going to implement in live set-up where i have to configure WPA2 enterprise so that i would like to go for testing wpa2 enterprise not wpa2 personal ).
I have ACS server 3.0 trial version and installed on windows server 2000 and
on AP 1131 i have configured radius server commands
( aaa- new model and radius server host ... ip address ... key ..... shared secret ... password .. ).
I am confused with certificate which is required to install on acs server but i am not able to generate the certificate or not able to get the certificate from anywhere in acs server option.
how to generate acs server certificate in trial version 3.0 and after generating how to install in acs server and what about client ... will it be same certificate which i need to install in cllient PC's and if yes how to add in client pc's and if not , where will i get cllient certificate ,..
if i buy ACS software which i will be installed windows platform , i will get two certificate ,,,,,,,,, what about acs trial version software .... will i be able to get certificate .......
i am trying to refer so many documents but it could not help me ..
Your help will be appreciative.
Looking for proper information.Hi,
Thanks for your response ....
obivously , This ACS 3.0 is end of supprt but when i tried to install the acs 4.0 or later , I am not getting an error saying " basic platform should be installed first , that is ACS 3.0 ".
That is the reason i have gone for this edition .
Should i go for upgrading the acs 3.0 to 4.1 or later version ?
if so , will it be possible on trail version ?
please give me your suggestion. -
Export User-Database between ACS-Server
Hi everyone ,
an ACS 2.3 is running under Unix with 3000 based user. The job is, to migrate the user-database to a new ACS-Server under Windows.
On the unix-version 2.3 there is no way to export the database to external.
The only way, i hope, is to mirror the old and the new server as redundant server and if the database is mirrored on both server, than the database is ready for export.
Is this correct?
Is there an other way?
Thanks for your input.
RalfThe migration should go to version 3.1 or 3.2 .
Ralf -
Installing certificate on ACS Server
i want to install the certificate in acs server, I have taken the option generate certificate signed request. configured all parameters like install ACS certificate, authority setup and trust list. the certificate has been generated and installed on the machine. But when i try to login to system it is working normally with http only. how can i change it to https. please anyone help me.
Hi,
To Enable HTTPS for ACS :
Goto Administration Control -- Access Policy -- SSL Setup -- Use HTTPS Transport
To Create & Install a Server Certificate:
System Configuration -- ACS Certificate Setup -- Generate Self Signed Certificate -- Fill in the details -- Select- Install Generated Certificate
Restart ACS Services under Service Control
When you try to log into the ACS you would get a warning -- Select Yes
Tnx,
somishra -
SSL VPN Failed to validate server certificate (cannot access https)
Hi all,
I have the next problem.
I've configured in an UC520 a SSL VPN.
I can access properly and I can see the labels, but I only can access urls which are http, not https:
I can access the default ip of the uc520 (192.168.1.10) but
When I try to get access to a secure url I get the msg: Failed to validate server certificate
I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
Does the certificate of both hardware has to be the same?
How can I add a https?
Here is the config of the router:
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address 192.168.1.254 port 443
ssl trustpoint TP-self-signed-2977472073
inservice
webvpn context SDM_WEBVPN_CONTEXT_1
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
url-list "Intranet"
heading "Corporate Intranet"
url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
url-text "Impresora" url-value "http://192.168.10.100"
url-text "DMM" url-value "https://pc.sumkio.local:8443"
url-text "DMM 1" url-value "http://192.168.10.10:8080"
url-text "UC520" url-value "http://192.168.10.1"
policy group SDM_WEBVPN_POLICY_1
url-list "Intranet"
mask-urls
svc dns-server primary 192.168.10.250
svc dns-server secondary 8.8.8.8
default-group-policy SDM_WEBVPN_POLICY_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway SDM_WEBVPN_GATEWAY_1
max-users 10
inservice
Any help would be apreciatted.
Thank youHi, thanks for your advise.
I'm trying to copy the certificate via cut and paste, but I'm getting a
% Error in saving certificate: status = FAIL
I dont know if I'm doing this right.
I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
I get a file which if I open with notepad is like
-----BEGIN CERTIFICATE-----
MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV
KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g
mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R
nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=
-----END CERTIFICATE-----
If I try to authenticate the trustpoint, I get that error.
how can I export the certificate from the DMM?
I think that this file is not the right file.
and then, do I have to make some changes in
webvpn gateway SDM_WEBVPN_GATEWAY_1?
Should I choose the new trustpoint?
I understand that the old trustpoint is for the outside connection, no for the LAN connection.
Dont worry about me, answer when you can but I really need to fix this.
Thank you so much -
Wired 802.1x EAP-TLS Server Certificate Problem
I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
11:48:53.088 Validating the server.
11:48:53.088 Server list is empty, trusted server can not be validated.
11:48:53.088 Server list is empty, trusted server can not be validated.
11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
11:48:54.776 The authentication process has failed.
If I look at the Auth log on ACS (set to full logging) it states:
AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
If I configure the client to not check the servers certificate it all works ok.
Can anyone tell me why my server certificate is getting rejected?
Thanks,
PaulIf Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.
-
Java ME SDK 3.0 server certificates problem
Hi, I'm having a problem using HTTPS connection with the Java ME 3.0 emulator. We have a server certificate from Thawte, but I get
javax.microedition.pki.CertificateException: Certificate was issued by an unrecognized entitywhen I try connecting to our server with the MIDlet. I have tried importing the server certificate as well as the Thawte root certificates into the keystore in c:\Documents And Settings\<username>\javame-sdk\3.0\work\<id>\appdb\_main.ks and I see the certificates in the Certificate Manager in the emulator, but I still get the exception.
What am I supposed to do to get the emulator to accept the server certificate?Answering myself, I got it working after I exported the Thawte server certificates from Control Panel -> Internet Options -> Content -> Certificates -> Trusted Root Certificate Authorities and then imported them to the MEkeystores.
-
PEAP: Enforce that client must verify server certificate
Hi,
I have PEAP setup with server certificate. The ACS server is used for radius authentication and cisco wireless access point 1240 series are used in WPA2/AES. In my setup, clients are working fine with or without server certificate verification. how could i enforce that client should verify the server certificate otherwise the wireless not authenticated..
RegardsYou could to that with an Active Directory policy or something like that. There isn't anything on the AP or Radius server that can be done.
-
Is there a way to generate server certificates in a multi-controller environment?
Q: Is there a way to generate server certificates in a multi-controller environment?
A: 1. For PEAP, only the Radius Server needs a certificate, not the controller. Managing a certificate for each controller for 802.1x when you can alternatively manage a single certificate for each radius server is a mistake.
2. For Captive Portal, if you don't want your guest or company users to have an untrusted error every time they hit the captive portal you will need a public certificate that all your users will trust. That could either involve (1) A different certificate for each controller with the subject being the fqdn of each controller or (2) a single, identical certificate that has the SAN or Subject ALT Name filled out with the FQDN of each controller listed in the SAN field (https://www.digicert.com/subject-alternative-name.htm)
Here is an example of a cert with multiple fqdns in the Subject Alternative Name field below: Of course, you will have to pay for each SAN that you have added to the certificate. If you will have an environment where you have a VRRP and that is the ip address that the clients will be redirected to, you should make the SAN point to the VRRP.
A document on certificates that is specifically geared toward ClearPass, instead of controllers is here: Certificates 101 V1.0 It speaks to certificates on ClearPass, but the concepts are the same...
Solution:-
We can use ClearPass server to generate the CSR, where the CN is named after the 1st controller, which included all the Subject Alternate Names (SANs) for the other 3 controllers as well as the master controllers (in case of an N+1 failover). This allows to save/export the private key as a file.
After submitting the CSR for a UCC and after receiving the cert, then proceed to chain the cert to include server, all intermediate and root CAs. Then copy the chained cert as well as the private key file to a MacBook so that we can use OpenSSL to create a PFX formatted cert as follows:
sudo openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem
Once this generated a PFX cert, upload it to all controllers and used it under Configuration > Management > General for both “WebUI Management Authentication Method” as well as “Captive Portal Certificate” (even though the ClearPass Guest captive portal is using a different cert for the captive portal page itself).
https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/Create-a-CSR-with-multiple-SANsSorry I'm still confused here. What you are describing makes no sense for properly using TestStand.
Maybe I can help you find the right solution if I can understand your goal?
Do you want to dynamically populate the variables (Locals and FileGlobals) with values? Or do you want to dynamically create the variables from scratch (i.e. add subproperties to the sequence file) based on some file?
Generally what happens is people want an ASCII file (in your case I'm guessing CVS) such that they can change the values of variable so that when TS is executing it will load those values and use them. In this case NI recommends the Property Loader. There is an example for this in <TestStand>\Examples. Open the workspace and look for the PropertyLoader example. Also, if you google "proprety loader teststand" then you will find various articles which may assist you.
When you say "define the variables for the sequence/sequence file" Are you actually referring to manually right clicking in the sequence file and saying Insert Local? or are you just saying that you change the value of a variable?
Thanks,
jigg
CTA, CLA
teststandhelp.com
~Will work for kudos and/or BBQ~ -
Migrating a server certificate
Hi,
I have a server instance running on a Sun ONE Web Server 6.1 installation. I would like to move this site, which includes a VeriSign server certificate, from my WS6.1 installation to my AS7 installation. It appears as though the trust database for WS6.1 is in a cert8.db file, whereas the trust database for AS7 is a cert7.db file.
Is there an easy way to export this certificate from the cert8.db and import it into the cert7.db?
Thanks,
BillIn case anyone else needs to do this, I've figured it out.
1. On the old server, put the appropriate certificate utilities in your PATH:
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/sunone61/bin/https/lib
PATH=$PATH:/opt/sunone61/bin/https/admin/bin2. Export the certificate in pcks#12 format:
pk12util -d /opt/sunone61/alias -o mydomain.p12 \
-n 'Server-Cert' -P https-www.mydomain.com-xxx-This will save your certificate in a file named mydomain.p12. Note that the "xxx" will reflect the name of your admin server.
3. On the new server, change into the new server instance's config directory. Copy the .p12 file created in the previous step into this directory, then run the following command to import it into the CA500 slot:
pk12util -i mydomain.p12 -d . -h 'nobody@mydomain'This assumes that you have already created the "mydomain" realm in the CA500.
Good luck!
Bill -
AnyConnect 3.1 - removing Security Warning: Untrusted VPN Server Certificate!
Hi guys,
Is there a way to disable the warning generated from using self signed certs?
I would like to make the process as seamless as possible.
AnyConnect 3.1
ASA 8.4(2)
Thanks.Hi,
We had problem with the above error message with our certificate when we moved to AnyConnect 3.1
We were instructed to request a new one
Also here is the link to Cisco site we were provided that explains the changes in 3.1
IPSec and SSL connections require server certificates to contain Key Usage attributes of Digital Signature and Key Encipherment, as well as an Enhanced Key Usage attribute of Server Authentication or IKE Intermediate. Note that IPSec server certificates not containing a Key Usage are considered invalid for all Key Usages, and similarly an IPSec server certificate not containing an Enhanced Key Usage is considered invalid for all Enhanced Key Usages.
Link to document
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp1049936
Sadly I dont dable with certificates myself so I'm not really familiar with this.
- Jouni -
How to add a certificate to IIS global "Server Certificates" list using PowerShell?
Hi, been surfing the web for an example on how to add a certificate to the "global" IIS "Server Certificates" list using PowerShell but to no luck. I already have code in place on how to tie / associate a specific website with a specific cert but not how
to add the new .cer file using the "Complete Certificate Request..." wizard using PowerShell.... I dont expect the final code to become published but if someone had an idea on howto integrate / get an entry point on where to interact between the "Server Certificate"
list in IIS and POSH I would be super happy! :|
I am runnign IIS on a Windows 2008R2 x64 Standard Edition if that helps..... of course, I would saddle for an CLI if there is no other way, but POSH is of course the way to go! :)
Thanks for the help in advance guys, take care!
br4tt3Hi and thanks for the suggestions!
Although it comes close, the suggested code example points on howto import / incorporate .pfx files - I am getting fed by .cer files which I need to add into the IIS console using POSH.
I tried explore the IIS.CertObj object but was not able to work out if this one could be used for importing / adding .cer files into IIS! However, launching the following command from a POSH console with Import-Module Webadministration already
loaded into that shell;
$certMgr = New-Object -ComObject IIS.CertObj returns the following error message:
New-Object : Cannot load COM type IIS.CertObj
From an IIS perspective I have the following components installed;
[X] Web Server (IIS) Web-Server
[X] Web Server Web-WebServer
[ ] Common HTTP Features Web-Common-Http
[ ] Static Content Web-Static-Content
[ ] Default Document Web-Default-Doc
[ ] Directory Browsing Web-Dir-Browsing
[ ] HTTP Errors Web-Http-Errors
[ ] HTTP Redirection Web-Http-Redirect
[ ] WebDAV Publishing Web-DAV-Publishing
[X] Application Development Web-App-Dev
[ ] ASP.NET
Web-Asp-Net
[X] .NET Extensibility Web-Net-Ext
[ ] ASP
Web-ASP
[ ] CGI
Web-CGI
[ ] ISAPI Extensions Web-ISAPI-Ext
[ ] ISAPI Filters Web-ISAPI-Filter
[ ] Server Side Includes Web-Includes
[ ] Health and Diagnostics Web-Health
[ ] HTTP Logging Web-Http-Logging
[ ] Logging Tools Web-Log-Libraries
[ ] Request Monitor Web-Request-Monitor
[ ] Tracing
Web-Http-Tracing
[ ] Custom Logging Web-Custom-Logging
[ ] ODBC Logging Web-ODBC-Logging
[X] Security
Web-Security
[ ] Basic Authentication Web-Basic-Auth
[ ] Windows Authentication Web-Windows-Auth
[ ] Digest Authentication Web-Digest-Auth
[ ] Client Certificate Mapping Authentic... Web-Client-Auth
[ ] IIS Client Certificate Mapping Authe... Web-Cert-Auth
[ ] URL Authorization Web-Url-Auth
[X] Request Filtering Web-Filtering
[ ] IP and Domain Restrictions Web-IP-Security
[ ] Performance Web-Performance
[ ] Static Content Compression Web-Stat-Compression
[ ] Dynamic Content Compression Web-Dyn-Compression
[X] Management Tools Web-Mgmt-Tools
[X] IIS Management Console Web-Mgmt-Console
[X] IIS Management Scripts and Tools Web-Scripting-Tools
[ ] Management Service Web-Mgmt-Service
[ ] IIS 6 Management Compatibility Web-Mgmt-Compat
[ ] IIS 6 Metabase Compatibility Web-Metabase
[ ] IIS 6 WMI Compatibility Web-WMI
[ ] IIS 6 Scripting Tools Web-Lgcy-Scripting
[ ] IIS 6 Management Console Web-Lgcy-Mgmt-Console
[X] FTP Server Web-Ftp-Server
[X] FTP Service Web-Ftp-Service
[X] FTP Extensibility Web-Ftp-Ext
[ ] IIS Hostable Web Core Web-WHC
More or less the one thing that I am trying to get up and running is an automated FTPS solution - I just use the IIS console to be able to troubleshoot / compare how things scripted from POSH interacts in the MMC representation. The error I am getting
might be that I am lacking some IIS components to be in place to be able to automate some parts of the IIS - as suggested by the IIS.CertObj object listed in the example..... I will get back if I can track down which component needs to be added to be
able to reference the IIS.CertObj object.
Br4tt3 signing out...
br4tt3 -
How do I create a default account with an ACS Server
Has anyone seen this. I have an ACS Solution engine appliance with Several devices using it for authentication and accounting. It all seems to work great.
When I add a new device (router or switch) i noticed that it will let me login via the acs based authentication even before i even setup the aaa-client account for this device in the acs appliance. I do have the tacacs key and all the appropriate information on the router or switch but i dont have an entry for it in the acs appliance yet. This has puzzled me Where is this default account setup. I have another ACS server (Windows Based) It seems to have a completely different behavior when it encounters an unconfigured AAA-client compared to the ACS Appliance. Can anyone tell me how to configure the ACS server to do the same and where these configuration options exist?
This really concerns me from a security perspective.Hmm, ACS should not (by default) accept traffic from any old device.
Could it be you have a wild-card IP Addr in your ACS network config somewhere that accidentally includes the new device?
Or possibly a DNS name (instead of an IP Addr) that resolves to the address of the new device?
Try changing the shared secret in the device - you should find you get errors in the Failed Attempts Log.
Also check the Passed Authenications report as this included the ACS network config device name in the Access-Device column. -
How can I make Firefox trust a Server Certificate by Default?
I'm trying to distribute Firefox via Empirum. All settings are made using the CCK-Wizard Addon.
When I import our Certificates in CCK-Wizard, I can make trust-settings for CA's, but not for Server Certificates, and so the SC isn't trusted by default.
Is there any way to make the trust Settings for SC's in the install package, maybe through an option in about:config (didn't find any, but maybe somebody knows more than google :P )?
I tried to do it like PRF_1 suggested here https://support.mozilla.org/de/questions/687296#answer-112220 but in the last step I got an Error 1: C compiler cannot create executables.
Regards,
BowserHello,
'''Try Firefox Safe Mode''' to see if the problem goes away. Safe Mode is a troubleshooting mode, which disables most add-ons.
''(If you're not using it, switch to the Default theme.)''
* On Windows you can open Firefox 4.0+ in Safe Mode by holding the '''Shift''' key when you open the Firefox desktop or Start menu shortcut.
* On Mac you can open Firefox 4.0+ in Safe Mode by holding the '''option''' key while starting Firefox.
* On Linux you can open Firefox 4.0+ in Safe Mode by quitting Firefox and then going to your Terminal and running: firefox -safe-mode (you may need to specify the Firefox installation path e.g. /usr/lib/firefox)
* Or open the Help menu and click on the '''Restart with Add-ons Disabled...''' menu item while Firefox is running.
[[Image:FirefoxSafeMode|width=520]]
''Once you get the pop-up, just select "'Start in Safe Mode"''
[[Image:Safe Mode Fx 15 - Win]]
'''''If the issue is not present in Firefox Safe Mode''''', your problem is probably caused by an extension, and you need to figure out which one. Please follow the [[Troubleshooting extensions and themes]] article for that.
''To exit the Firefox Safe Mode, just close Firefox and wait a few seconds before opening Firefox for normal use again.''
''When you figure out what's causing your issues, please let us know. It might help other users who have the same problem.''
Thank you. -
How enable read only access for ACS server itself
Hi,
We would like to know whether its possible to create a read only access to the ACS server. Currenlty ACS server has a generic login with full admin rights.
We need to create a login to couple of users to log into ACS to check the "Report and Activity" tab. Access to all other tabs should be disabled.
We are using ACS4.0 verison. Please let me know whether its possible.
Thanks
NachiHi,alexchy8
We can make use of 2 PowerShell commands to achieve this goal.
Add-MailboxPermission and Add-MailboxFolderPermission.
Execute the Add-MailboxPermission command to delegate the read permission at mailbox level.
Execute the Add-MailboxFolderPermission command to delegate the required permissions on specific folders inside the mailbox.
You can read the following article as reference:
http://www.exchangedictionary.com/articles/assign-read-only-mailbox-permission-on-exchange-2010-2013-powershell
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety,
or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
Best Regards.
Maybe you are looking for
-
How to set up Canon printer via Netgear print server ps121 on new macbook
I have bought a new Macbook (OS10.4.8). The Apple store gives a good deal if you buy a Canon ip4300 with it but I am having problems figuring out how to set up the printer to work thru my Netgear print server on my Netgear network. Can anybody advise
-
If i have downloaded pages for both my macbook and my iPhone - would it be possible to edit a document on my mac, go out, and continue from where i left off on my mac on my iphone?
-
There is no "Nigeria" as a country option in facetime.
This omission of "Nigeria" results in my contacts not being recognized, can this be resolved?
-
ITunes 11.1.1 Freezing
I upgraded to the new version of yesterday and it constantly freezes. I have done the full re-installation a few times now and had no improvement. Any idea what is going on here? maedwar3
-
We are using BADI ME_REQ_POSTED (Purchase Requisition Posted which uses table EBAN & EBKN) to compare old fields to new fields of the purchase requisition so that a field of an IDOC can be updated to identify that the purchase requisition has been c