Getting XP Clients to trust ACS Self sign Cert

Hi,
I'm implementing ACS 4.0 to provide PEAP Security on a customers WLAN. I'd like to use the Self signed certificate feature within ACS, because it's easy to use and I don't want to 'play' with the customers Servers to install CA unless I really have to (deniability!!).
My question is, how do I get the XP Clients to trust the certificate installed on the ACS when the 'Authenticate Server' option is enabled on the PEAP client?
Due to the range of client adapters on the network and the only common factor being that they all run XP SP2, I plan to use the 'wireless zero configuration' option on those clients.
I presume I have to tick the relevent CA box on the Client trust list, but how do I get the cert to appear in that trust list?
Regards all,
Dan

Thanks for your reply,
I need to validate the server certificate to strengthen against 'man in the middle' attacks. But I'm struggling to figure out how to trust the SSC from the ACS.
There must be a way of adding that CA to the Clients Certificate Trust List?
This network will be the subject of a Pen test when it's finished and I need to make it as secure as possible.
I Know EAP-TLS is stronger, but Certificates on all the clients is too cumbersome to manage. (Customers point of view).
At least using this method (if implemented properly), The customer only has to maintain the Server cert every year.
Regards,
Dan

Similar Messages

  • ACS self-signed certificates - renewals?

    We are using the ACS self-signed certs - good for 1 year. We are using PEAP and when configuring the wireless users, we disable the option to "prompt user to authorize new servers or trusted cert authorities."
    Is there a way to renew the cert (or generate a new cert) and not require a physical visit to the computer to redo the wireless setup?
    Perhaps a way to generate a new cert that is named the same as the existing cert? Maybe then I could push out the cert via a GPO.
    Thanks for any help....our cert will expiring in the month (or so) and we are trying to figure out a game plan that doesn't involve touching every computer.

    Hi,
    The kind of certificate it is a regular server certificate.
    You could you a windows 2003 as a CA that is a lot cheaper to get one of those and you can make the certificate for as many years do you want.
    Please see link below that explains how certificates needs to be request and how to use windows 2003 as a CA.
    http://tinyurl.com/9hq4r
    If you decide to use another CA you will need the following instructions
    Step 1: Create a Certificate Signing Request
    Complete these steps:
    1.
    Choose System Configuration > ACS Certificate Setup > Generate Certificate Signing Request.
    2.
    Enter a name in the Certificate subject field with the cn=name format.
    3.
    Enter a name for the private key file.
    Note: The path to the private key is cached in this field. If you press submit a second time after the CSR is created, the private key is overwritten and does not match the original CSR. This result in a private key does not match error message when you attempt to install the server certificate.
    4.
    Enter the private key password and confirm it.
    5.
    Choose a key length of 1024.
    Note: While Cisco Secure ACS can generate key sizes greater than 1024, the use of a key larger than 1024 does not work with PEAP. Authentication might appear to pass in Cisco Secure ACS, but the client hangs while authentication is attempted.
    6.
    Click Submit
    7.
    Copy the CSR output on the right-hand side for submittal to the CA.
    Once this has been created you send it to the CA and they know what to do.
    If you need any assistance let me know.

  • Import and trust a self-signed CA certificate from the Terminal

    Hello there,
    i have a problem: I would like to import and trust a self-signed CA(root) certificate from the Terminal to the System.keychain.
    My request is to create a installation script to install the Cisco AnyConnect VPN Client and the needed certificates.
    For the import i have used the following command:
        sudo security import certificate.cer -k "/Library/Keychain/System.keychain" -A
        The Option "-A" says:
    Allow any application to access the imported key without warning (insecure, not recommended!) <- From the Mac Developer Library
    The command reportet: 1 certificate is importet ... but ... the certificate is not trusted.
    What do i need to do to set this certificate as trustworthy at the terminal?
    Thanks for your help and best regards
    Benjamin
    P.S. The command: sudo security add-trusted-cert -d -r trustRoot -k “/Library/Keychains/System.keychain” “/private/tmp/certs/certname.cer” doen't run, i get an error message. Found on http://derflounder.wordpress.com/2011/03/13/adding-new-trusted-root-certificates -to-system-keychain/

    Hello Linc Davis,
    thanks for your answer and sorry for my mistake, because i had already changed the last argument but for this discussion i had only copy this example.
    But your answer show me the right way, big thanks.
    I had entred the following command (see the last argument):
         sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/Downloads/mycert.cer"
    ... and i get the following message:
        ***Error reading file ~/Downloads/mycert.cer
         Error reading file ~/Downloads/mycert.cer
    Today i changed the last argument to:
         /Users/User/Downloads/mycert.cer
    and its run.
    Many thanks!
    Benjamin

  • Old clients won't switch from Self-Signed Certs to PKI.

    Greetings.
    I am wondering if anyone can give me advise on problem I am having with some of my sccm clients.
    When I originally deployed SCCM i used self signed certs on clients.
    We needed to add MAC and Linux support and MAC clients won't work without PKI, so I following this http://technet.microsoft.com/en-us/library/gg682023.aspx to configure Certificate Authority.
    It all seemed work well, I can now join MAC client with auto-enroll and all machines are requesting client certificates and I had couple of machine with new push on windows site installed with PKI.
    So right now I have about 250 windows clients, only 22 of them use PKI and the rest keeps using self-signed certs.
    I foolishly switched main site settings, MP settings and DP point settings to use https only.
    As a result I lost all self-signed clients and have full log for mpcontrol saying that it's rejecting clients cause they certificate cannot be validated.
    I logged in to couple of those machines and MMC i can see that it did enroll machine with valid Client Cert but Configuration Manager client itself still saying that it's using self signed one.
    Am I missing a step that I need to do to make sure that all those clients switch to PKI?

    It is. but how can i redeploy them?
    I was under impression auto push won't reinstall them. If i do deployment - that seem to reuse existing configuration and still use self signed on old machines.
    How can i verify that it does push clients to machine that already have it correctly and start using new config and not reuse old one.
    I even tried removing clients from couple of machines and see if it gets pushed again on them with proper config and those machines don't seem to get client but used to get it fine before. I keep getting new machines being added to domain and they get client
    pushed to them, but anything that had client with self signed doesn't seem to be happy.

  • "I do not get any message or option to add exception" - Using Self signed cert -Images does not load

    Wr are have two web servers one for app and another for loading images. Both are behind Kemp Load balancer and are using self signed certs from the load balancer. The images does not load when using Firefox 3.x. I load with IE and Firefox 2.x. With firefox 3.x it does not give a message to "add exception". I only get one certificate message to add exception for the app server. I do not get the certificate message or pop up for the imaging server with Firefox 3.x.
    == This happened ==
    Every time Firefox opened
    == Always ==
    == User Agent ==
    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

    You have a lot of information in packed in the "More system details..." (in the right-hand column), where it looks like you found a solution. If not take a look at "Problematic Extensions" the AVG Free installation of their "'''AVG Free Search'''" can cause such problems. Directions to fix that are specific and involve reinstalling AVG Free without the Link Scanner component.
    * http://kb.mozillazine.org/Problematic_extensions

  • EAP-GTC & self signed certs

    I am looking at deploying EAP-GTC with a novell ldap directory and ACS 3.3.4. Could I use a self signed cert with this or do have have to have a CA sign the cert? All clients will be Cisco aironet cards.

    Hi,
    Self signed certificate will be ok.
    Regards,
    Vivek

  • OWA using self signed cert

    I have a customer that just bought a blackberry, and I have other customers that use them via OWA for email. Those customers have a Cert from verisign, and use ssl for the owa site.  This latest customer uses SSL, however, it is a self-signed cert.  This isn't a problem for WM5 devices, since I can install the cert on them... but how will this effect this blackberry I want to put in place.
    My understanding is that blackberry contacts my OWA, and then pushes the email it gets to the device.
    not using SSL is not an option.
    Will blackberry still connect to the OWA site even though the cert will show as untrusted for them? 

    Regardless of whether the Cert is trusted or not. When entering the server information ensure you are using the full https:// owa address and it should work fine.

  • Removing Lync Self-Signed Cert from Personal Store

    Short story, the Lync client self-signed cert is creating an issue with our updated PKI infrastructure.  In testing, when a user logs in with the new Infra. PKI chain the Lync client give a certificate error.  When the *usersup*.cer is deleted
    from the personal store, everything is fine.  I've turned off the issuing of the client cert on the server side and running of AD authentication is fine.  I need to automate the removal of 6K+ user's personal certs.  Below is a PS script
    that does what I need to do but the prompt has to be elevated and elevating prompts for that many users poses an issue, if anyone has experience with this and has an alternative solution, please feel free to share.
    $certs = Get-ChildItem cert:\CurrentUser\My | where { $_.Issuer –like 'CN=Communications Server' }
    foreach ($cert in $certs) {
        $store = Get-Item $cert.PSParentPath
        $store.Open('ReadWrite')
        $store.Remove($cert)
        $store.Close()

    I think you can assign appropriate permission to run the command. But I am not sure about the Powershell. I would recommend you post the thread in the following forum:
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverpowershell
    Lisa Zheng
    TechNet Community Support

  • Replication Self-Signed cert issues

    I have two node clustered environment with a replica broker and a replica server for DR.  Port 80 replications are taking place accurately.  I have tried to follow the document below.  I have the .cer file of the FQDN of the servers and the
    broker on each of the servers.  Imported the .pfx with the RootCA file and root is in trusted domains.
    The primary cluster lets me add the replica broker self signed cert but the DR replica server gets the error.  The FQDN match on each and timezones match because they are on the same domain.
    Any help?

    Hi spsilos,
    "The primary cluster lets me add the replica broker self signed cert but the DR replica server gets the error. "
    Please try to export the self-signed root certs of  replica broker then import them into "Trusted Root Certification Authorities" of DR server .
    Please refer to following link:
    http://blogs.technet.com/b/virtualization/archive/2012/03/13/hyper-v-replica-certificate-requirements.aspx
    Best Regards
    Elton Ji
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • 2960G switch - I don't want the self signed cert

    I have a number of 2960's and just got a new one and have some time to play around so I thought I'd take an extra few minutes to make a cert in my MS certificate server which should be trusted by Windows domain computers, then I wouldn't get the annoying cert warning in my browser.  I recently set up Verisign certs on a couple of ASAs for AnyConnect so I thought it wouldn't be a big deal.  I think I got all of the cert stuff set up correctly but when I try and connect to the switch with a browser I still get the warning that it isn't from a trusted source - and - the switch keeps making self signed certs even after I remove them.  The ASA had a easy command to tell it to use a specific cert but after looking through docs and using the "?" in all sorts of possible commands at the CLI, I am unable to figure this one out.
    Anyone have an answer or a doc for this?

    The apps are tied to your account, so unless he has access to your account, then when he connects the iPad to his computer they will be removed (and he won't be able to download updates to them without your password). In terms of photos, if they were originally synced from a computer, then again they will be removed if he tries to sync his own photos to it.

  • SCCM 2012 Default self signed Cert expired...

    SCCM 2012 Default self signed Cert expired - how do I renew it?

    The default selfsigned cert that gets generated with the installation - can be found in administration - security - Certificates  (This is Sccm 2012 RTM)
    Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
    I will bring this back to Kent point, which one of the Certs are you talking about. You can see form the screenshot that I have 6 certs, 3 DP and 3 Boot cert. You can also see that the 3 DP server have a 100 year life and the 3 Boot certs only have 1 year.
    If you are talking about the boot certs then just create the boot image.
    Garth Jones | My blogs: Enhansoft and
    Old Blog site | Twitter:
    @GarthMJ

  • How do I allow self-signed cert for SecureAMF on iOS?

    I have spent the better part of two days trying to figure out how the dickens to do this. 
    Basically, I am using BlazeDS (using AMF as the protocol) to communicate with a Java backend (using tomcat with a self-signed cert).
    This works great in the browser version of the application (you usually get a little prompt saying that the site is untrusted when you try to access the website, you install the certificate and Bob's your uncle.)
    However, adapting the code over to iOS I am discovering a couple of problems.  The primary one being that the BlazeDS communication fails miserably when we are using SecureAMF with the self-signed certs.  It appears that it is similar to this issue: http://forums.adobe.com/message/3940214#3940214
    How do I get my iOS Air app to communicate with a self-signed certificate running on tomcat?
    Here are the things I've tried:
    1) Installing the cert using iPhone Configuration Utility
    2) Browsing to the site in Safari, and installing the certificate manually
    This is for development, so buying a certificate doesn't really make sense.
    So, any suggestions?

    Has anybody had any success here?  This is a real problem for testing internal applications inside of a local network.

  • Self signed cert and AD root cert

    I have an organization running Exchange 2007, they're self signed cert expired so I created a new one, they're AD root certificate also expired so I regenerated this also. The problem is when clients log on a certificate error comes up. I then have to log onto the server and transfer both certificate to the client machines and install them manually, I have to repeat this every time a user needs to access mail. Can anyone help with a resolution
    This topic first appeared in the Spiceworks Community

    I have an organization running Exchange 2007, they're self signed cert expired so I created a new one, they're AD root certificate also expired so I regenerated this also. The problem is when clients log on a certificate error comes up. I then have to log onto the server and transfer both certificate to the client machines and install them manually, I have to repeat this every time a user needs to access mail. Can anyone help with a resolution
    This topic first appeared in the Spiceworks Community

  • Self-Signed Cert being advertised on load-balance ip for ASA VPN cluster

    We recently saw an issue potentially related to CSCul61231 when a self-signed certificate was applied to the internal interface of the lan (inside) connection.  For some reason, the public (outside) cluster ip address started handing out the self signed cert instead of the configured certificate.  Lan interfaces certificates for either of the ASA's in the cluster were not effected - only the VIP.  Even after removing the code, the issue still occurred until the cluster was broken.  After re-connecting cluster issue did not come back.  We are not using the 5500-X devices but instead 5550's.  We do have 9.1.(x) running - I think 9.1.2, but not confident.
    We were looking to add a self-signed static cert as best practice dictates - but if this is the issue we can't and will have to replace our UC cert with one that contains the inside interfaces dns as well.  Can anyone confirm this to be the case?  Below is the exact line that caused the issue.
    ssl trust-point TrustPoint_X INSIDE vpnlb-ip ssl trust-point TrustPoint_X INSIDE
    Thanks in advance!

    Just wanted to follow up and confirm we have 9.1(5)12 running on the devices.  A note in the bug report suggest a possible ip6 address is associated in some way.  I want to also point out the devices have only ipv4 address assigned.
    Anyone that can confirm this functionality would be greatly appreciated.
    Thanks!

  • Applet signed w/ self-signed cert - different behaviors w different servers

    Folks,
    I'd really appreciate your help with the following.
    I'd like to deploy an applet as a signed jar. Probably at least in the beginning, and maybe indefinitely, I'd like to sign it with a self-signed cert. When I've tested this under Linux, loading the applet in a browser running on my desktop, from an apache2 webserver also running on the desktop, I get the expected behavior - I get a security dialog reporting that the applet was signed by an unrecognized CA, but allowing me to accept the applet's signature. However, when I try loading the applet from my server (i.e, browser still running on my desktop, but now loading the applet from the real webserver, which is also apache2), I don't get a security dialog, and the applet fails silently.
    Is there some way of configuring the webserver so that the security dialog is presented for a self-signed applet? What explains this difference?
    Thanks much,
    Matthew Fleming
    DermVision, LLC

    Double post answer has been given and ignored:
    http://forum.java.sun.com/thread.jspa?threadID=569012&messageID=2812525#2812525

Maybe you are looking for

  • Can not update MS-Acess 2000 db; currently locked

    Running CFMX7, IIS6 on Win2k3. Using <unfortunately> multiple Ms-Access 2000 mdbs. One application in particular is erroring out constantly. I have "maintain connections" unchecked. Line 86 is the location of the update query. The update query DOES N

  • Change colors of individual pixels on intensity graph?

    I would like to be able to change the color of a set of individual pixels within an intensity graph, to blue for example, while leaving the color table otherwise as is, for example, gray scale.  The change to blue would be based on location, not on c

  • Wsdl import - no messages in Message tab

    Hi All, I'm trying to import a wsdl into external definition, there's no error, but no messages appear in the message tab. I search the prev post for some possible solutions, but so far  haven't found anything that worked yet - including importing th

  • Is it a bug in JDeveloper? (JDeveloper with Human Task)

    JDeveloper 11.1.1.5 generates name wrong HumanTask elements in the file ".bpel". I created a manual in my blog with the procedure to reproduce the error: http://oraclefromguatemala.blogspot.com/2012/11/bug-en-jdeveloper-con-bpel.html Is it a bug in J

  • After I updated my iTunes to 7.7, my laptop keeps playing some music

    I completely have no idea what's going on with my laptop. I was so excited to update my iTunes to 7.7 and iPhone to 2.0. But after that, something weired happens. My laptop keeps playing some unknown music at regular intervals automatically. This nev