802.1X ACS Self Signed External Windows DB
I can configure the ACS server whit Self Signed and integrate it into a Windows database?
The users will be authenticate whit 802.1X configured in a WLAN in WLC4400.
Thanks Sthephen,
I have configured this in the ACS:
1. The ACS server is member server, for example LAB.
2. In External User Database / Windows Database / Configure / In the configure domain list I select the domain called LAB.
3. System Configuration/ACS Certificate Setup/Generate Self-Signed. I enter all parameter requerided and the certificate is created.
4. The certificate is installed in the wireless client and the wireless profile is configured selecting the certificate. In the windows profile of the wireless conection, I uncheck the Automatically use my Windows logon name and password, this option is disable to use the local database of the ACS.
The only configuration necessary for the integration of the ACS server whit the Windows domain. Is that the server is a member of the Windows domain and select the domain in the domain list in the acs? and check the option "Automatically use my Windows logon name and password"
Similar Messages
-
ACS self-signed certificates - renewals?
We are using the ACS self-signed certs - good for 1 year. We are using PEAP and when configuring the wireless users, we disable the option to "prompt user to authorize new servers or trusted cert authorities."
Is there a way to renew the cert (or generate a new cert) and not require a physical visit to the computer to redo the wireless setup?
Perhaps a way to generate a new cert that is named the same as the existing cert? Maybe then I could push out the cert via a GPO.
Thanks for any help....our cert will expiring in the month (or so) and we are trying to figure out a game plan that doesn't involve touching every computer.Hi,
The kind of certificate it is a regular server certificate.
You could you a windows 2003 as a CA that is a lot cheaper to get one of those and you can make the certificate for as many years do you want.
Please see link below that explains how certificates needs to be request and how to use windows 2003 as a CA.
http://tinyurl.com/9hq4r
If you decide to use another CA you will need the following instructions
Step 1: Create a Certificate Signing Request
Complete these steps:
1.
Choose System Configuration > ACS Certificate Setup > Generate Certificate Signing Request.
2.
Enter a name in the Certificate subject field with the cn=name format.
3.
Enter a name for the private key file.
Note: The path to the private key is cached in this field. If you press submit a second time after the CSR is created, the private key is overwritten and does not match the original CSR. This result in a private key does not match error message when you attempt to install the server certificate.
4.
Enter the private key password and confirm it.
5.
Choose a key length of 1024.
Note: While Cisco Secure ACS can generate key sizes greater than 1024, the use of a key larger than 1024 does not work with PEAP. Authentication might appear to pass in Cisco Secure ACS, but the client hangs while authentication is attempted.
6.
Click Submit
7.
Copy the CSR output on the right-hand side for submittal to the CA.
Once this has been created you send it to the CA and they know what to do.
If you need any assistance let me know. -
How to Increase ACS self signed certificate.
I'm using ACS 4.0 for Windows.
How can I increase the validity of a self signed certificate from one year to more years?
Thanks.
Andrea.It is not possible to extend it. You have to re-issue the cert every year. You can either buy a certificate or setup your own CA to extend the time.
-
Getting XP Clients to trust ACS Self sign Cert
Hi,
I'm implementing ACS 4.0 to provide PEAP Security on a customers WLAN. I'd like to use the Self signed certificate feature within ACS, because it's easy to use and I don't want to 'play' with the customers Servers to install CA unless I really have to (deniability!!).
My question is, how do I get the XP Clients to trust the certificate installed on the ACS when the 'Authenticate Server' option is enabled on the PEAP client?
Due to the range of client adapters on the network and the only common factor being that they all run XP SP2, I plan to use the 'wireless zero configuration' option on those clients.
I presume I have to tick the relevent CA box on the Client trust list, but how do I get the cert to appear in that trust list?
Regards all,
DanThanks for your reply,
I need to validate the server certificate to strengthen against 'man in the middle' attacks. But I'm struggling to figure out how to trust the SSC from the ACS.
There must be a way of adding that CA to the Clients Certificate Trust List?
This network will be the subject of a Pen test when it's finished and I need to make it as secure as possible.
I Know EAP-TLS is stronger, but Certificates on all the clients is too cumbersome to manage. (Customers point of view).
At least using this method (if implemented properly), The customer only has to maintain the Server cert every year.
Regards,
Dan -
ACS 5.3 / Self Signed / Certificate base auth
Hello,
Our ACS (5.3) has self signed certificate, we have exported it and declared it in Certificate Authorities.
We have exported it to have a Trusted Certificate for client machine.
This certificat has been installed on a laptop.
The wlc is successfully setup for eap (peap & eap-fast has been tested > ok)
I have this error in the log:
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain
I think the Access Policies (identity & authorization) are misconfigured:
> I allowed Host Lookup, PAP/ASCII, MSCHAPV2, EAP-MD5, EAP-TLS, PEAP, EAP-FAST
> Identity: System:EAPauthentication match EAP-TLS
id Source: AD in which AD, Internal Users, Password based, certificate based CN Username are enabled
> authorization: System:WasMachineAuthenticated=True
Thanks for your help,
regards,Hello,
I found the answer here:
https://supportforums.cisco.com/message/1298039#1298039
ACS self-signed certificate is not compatible with EAP-TLS
Thanks, -
Self Signed Certificate For ACS
Hi,
I am running version 4.1 of the ACS appliance and was wondering if anyone knew of a way to get around the limitation of the 1 year self signed certificate? We had no external CA infrastructure.
Is there a way of creating the CA certificate on an external (temporary) Windows/Linux box and then importing this onto the ACS for use?This will be on an isolated network and will only authenticate/authorize a few switches and routers. No MS/Linux on this LAN will use ACS, you still have to create the CER? I could only find where that is needed for EAP, PEAP, HTTPS, Positure Validation, etc. I'm just trying to get the basics working so I can get this started, tested, then move to other things. If you think this is still needed, I'll create the self-signed one but I'm not sure if it will do any good. Thanks for the reply.
-
How to import a self signed certificate into Firefox from the windows store properly.
I am currently trying to get a wcf service that runs on the same machine as the browser that is making the request. Since the connection is between a browser and an application running on the same machine security was orginally not a concern and it seemed fine to leave the request on http. The first issue arrised when Firefox did not allow mixed content calls (The website making the requests uses https). I have the service converted fine to run with Chrome and IE in https, but not for Firefox due to its use of a seperate store.
For the windows store I created one CA cert which then issues the self signed cert which is then binded to a port I have the WCF service listening on (In my case this is: https://localhost:8502).
This all needs to be done progammatically so I can't manually Add an Exception (which does work).
If there was a way to use certutil (I am not very addept at using this tool at all) to add this exception it would be very helpful.
The other method I have tried is exporting the selof signed cert and then importing it. Using IIS I can only export the file as .pfx which I can't seem to import into the Servers tab in the certificates interface (I assume this is the right location for it since the exception adds it here). I extracted the certificate from the port through code and imported it to the store, but it does not seem have the extra column defining the port like the exception cert does (It does not work wither).
How do I do this correctly? Or is it even possible to have a self signed cert bypass all this? I only have it using self signed certs since the service is just running on localhost.HI,
Adding an exception does work manually, but you would like to do this programmatically. This has more on the nSS functions [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Certificate_Download_Specification]
I have not tried this you can add it to the file cert8.db if you can insert it into each profile you can access? (For example copy the file after you have manually added it?) that would overwrite any uniqueness however- not good for preserving data.
The best advice would come from the security mailing list or the esr mailing list, that helps enterprise environments. -
Can you use a self signed certificate on an external Edge Server interface?
Hi,
I have a small lab deployment for evaluation purposes. The Lync FE server works great for internal users. I have now added an Edge server. For the internal interface, I have a self signed certificate from our internal CA. (no problem there) For the external
interface, I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user and installed it for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed
cert is valid (root and intermediate have been checked for validity).
At first, when logging in from the Lync 2013 client on the external users machine, I would get an error from Lync about the cert being untrusted. I have now fixed that error by adding it as trusted. At this point, there are no errors or warnings in the Event
Viewer (in the application or system logs) However, I receive the following error from the Lync client, "Were having trouble connecting to the server... blah, blah".
Here is my question. Does the Microsoft Lync 2013 client and/or the "testconnectivity.microsoft.com" tool specifically prevent or forbid the use of self signed certificates on the external interface of an Edge server? They seem too.
I can tell if the certificate is my problem or something else. Any ideas on how to trouble shoot this?
ThxDrago,
Thanks for all your help. I got it working.
My problem with the Lync client error, "Were having trouble connecting to the server... blah, blah", was NOT a certificate error. It was a problem with my Lync Server Topology. (My sip default domain needed to match my user login domain.)
Let me update everyone about self-signed certificates:
YES, you can self-sign a certificate on your external edge server. It is a pain, but possible.
I have a self signed certificate from our own external CA. I have installed the cert on the client machine of the external user for trusted operation. I have used the RUCT and digicert tools to prove that the external self signed cert is valid (root and
intermediate have been checked for validity).
Here are my notes:
Create/enable your own external Certificate Authority (CA) running on a server with internet access.
On the Lync Edge Server, run the "Lync Server 2013 - Development Wizard".
Click "Install or Update Lync Server System". (Lync will automatically determine its deployment state)
You should have already completed: Step1 and Step 2.
Run or Run Again "Step 3: Request, Install or Assign Certificates".
Install the "Edge internal" certificate.
Click "Request" button to run the "Certificate Request" wizard.
You use can "Send the request immediately to an online certificate authority" option to connect to your internal CA, and create the certificate.
Once the certificate has been created, use "Import Certificate" to import it.
Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request...
In the Lync deployment wizard - Certificate Wizard, "Assign the newly imported "edge internal" certificate.
Install the "Edge External" certificate (public Internet).
Click the "Request" button to run the "Certificate Request" wizard.
Press "next"
Select "Prepare the request now, but send it later (offline certificate request).
Supply the "Certificate Request File" name and location. (You will need the file later. It should have the file extension ".req").
Click next on the "Specify Alternate Certificate Template". (which means you are using the default options)
Give it a Friendly Name. Bit Length = 2048. I selected "Mark the certificate's private key as exportable" option.
Fill in the organization info.
Fill in the Geographical Information.
The wizard should automatically fill-in the "Subject name:" and "subject alternative name:' fields.
Select your "Configured SIP domains"
"Configure Additional Subject Alternative Names" if you want. Otherwise, next.
Verify the "certificate Request Summary". Click next.
Run the wizard script to "Complete". The wizard will create a file containing the certificate request with the file extension ".req". (Let's assume the file name is "myCert.req")
Move your myCert.req file to your external CA. Have your CA issue the cert (based on myCert.req) and export the new cert to a file. I save it as a P7B certificate. (Let's call it "ExternalCert.p7b")
In the Lync Deployment wizard - Certificate Wizard, click on "Import Certificate" for ExternalCert.p7b.
Once imported, on the Edge Server, go to: (Control Panel -> Administrative Tools -> Internet Information Services (ISS) Manager -> Server Certificates -> Complete Certificate Request... (assign it a friendly name. Let's say "EXTERNAL-EDGE")
For the "External Edge certificate (public Internet), click "Assign".
The "Certificate Assignment" wizard will run.
Click next.
From the list, select your cert "EXTERNAL-EDGE".
Finish the wizard to "complete".
You are finished on the server.
Move the "ExternalCert.p7b" file to the machine running the lync client. Install the cert via the "Certificate Import Wizard".
When installing it to a particular Certificate Store, select the "Place all certificates in the following store" option.
Browse
Select "Trusted Root Certification Authorities"
Finish the wizard. -
How to install self-signed ROOT CA certs in safari 4 for windows?
Hello, I do some web development and I use Safari for windows to test all my works for mac users, since v4 I haven't been able to test my apps because safari ask me for a certificate to use for connecting to the test environment (uses self signed cert chain) while other browsers (opera, firefox, IE) just alert me of an untrusted CA certificate. How do I install the CA certificate or whatever I need to do to test my apps on safari 4 windows? thanks for your support
For what it's worth, you can install a self signed cert only for pages that you go directly to. So if the self signed page is one that is included in page from another server (like images being served from a separate content server) you can install the cert but it still won't serve that content until.....you go directly to that self signed page. Also, this solution only works for the currently running browser and as soon as you shut down the browser the cert is apparently lost. Annoying as heck especially if you happen to be a shop setup that way and you are testing your site on Safari for Windows. arrrgggg! Dear Apple, please fix so we can test that our sites work with your browser.....help us help you!
-
Self signed cert in safari 4 and windows xp
Hello there,
in our company wi have an self signed certificate for testing purposes. over an automatic testing cenario will be tested an application with various browsers. safari under windows brings now an problem and does not accept the self signed cert. the running steps terminating at this point. importing in windows cert store is not helpful.
has any one an solution to make this cert working with safari and windows? or exist an solution to disable the cert check in safari it self.
thanks
greetings
vito21Hello Mick,
sorry to be late, but may help someone other :)
Setting:
NumberFormat currencyFormat = NumberFormat.getCurrencyInstance();and:
String value = currencyFormat.format(valToDisplay);you can now use value in any component and its view is correct.
For some objects like files you also need to set the right charset (i.e. the one support the symbol you need).
For the euro symbol try "windows-1250" as charset.
Bye -
Safari on Windows could not accept self-signed certificate
Hi, i am using Safari 5.0.4 on Windows 7 and I am trying to access an https site with a self-signed certificate (internal developing site).
after i install the certificate to the Windows certificate store (i try both Personal store and Trusted Root Certification), when i try to browse the site, Safari asks me to choose a certificate, after i choose it, after a long hang time, Safari displays "Safari can't open the page".
My questions are:
1. Any one has configured safari on windows to accept self-signed certificate successfully?
2. i see some other posts saying "Safari on Windows has bug to use the self-signed certificate", any official document or link saying this if this is true?Microsoft Windows web browser support questions? Try one or more of these resources:
http://technet.microsoft.com/en-us/library/cc747495(WS.10).aspx
http://www.leonmeijer.nl/archive/2008/08/01/123.aspx
http://stackoverflow.com/questions/681695/what-do-i-need-to-do-to-get-ie8-to-acc ept-a-self-signed-certificate
That was from tossing the /internet explorer import self-signed certificate/ query at Google, and some poking around. StackOverflow and Microsoft Technet and the Microsoft KBs have more details on Microsoft platforms and products and permutations, too.
The usual best fix with this stuff is to create your own certificate authority (CA) root certificate and to configure that within your chosen platforms and browsers, but I do not know (off-hand) how to do that on Microsoft Windows boxes. Google or some KB probably has details of loading your own root cert. This approach means loading one cert, and the rest of what you create that's signed from that cert will now automatically be trusted. Basically you become your own CA provider, load your root cert into each of your clients, and then issue your own certs chained from your own root cert, and Bob's Your Uncle. -
ACS v5.2 - New Self Signed Certificate Not Showing In Browser
Hi
I have just renewed the self signed certificate on a v5.2 ACS and expiry date of 2013 is showing in the ACS GUI. However, when I start an ACS Admin session and view the certificate information in the browser it is showing the old expiry date of 2010. I have tried this in IE and Firefox and the certificate information is the same.
Is there a way I can get the browser to pick the new certificate ?
The screenshots show the difference (any advice would be appreciated)from the screen shots it does seem to be configured OK
So I couple of suggestions
- restart browsers / clear browser cache
- if that fails consider a restart of ACS. Since this is certificate presented on web sessions maybe a restart of the web server is requried -
Self Signed Certs Safari and Windows
My company is using a proxy with self-signed certificates and with each https connection I'm being prompted that the site may not be safe. How do I permanently accept the self-signed proxy certificate using Safari 5.0.5 (7533.21.1) on Windows 7?
For me push is the next thing I want to get working, the web is annoying but not pressing. I'm not even prompted that the cert is not able to be authenticated which is what I expected. It cold be though the the particular cert I'm looking at may have a different machine name or something weird that is causing different behavior.
-
Exchange 2013 don't unassign IIS Services from Certificate Self-Sign
Hi,
I Imported a new Public certificate to Exchange 2013 SP1 and assigned IIS Service, but IIS service keep assign to certificate self signed. Now, I have ISS services
assigned in two certificate (self signed and public certificate), someone have seen it? What do I do now?
Another question, Can I remove self-signed certificate? Is it any one service tied to Exchange?Hi,
If possible, please provide more parameters(Status, IsSelfSigned etc.) about the certificate with IIS service:
Get-ExchangeCertificate -Thumbprint
382E9DCC4CCA38DA488345F7B46114BA91EBB8F0 | FL
Get-ExchangeCertificate -Thumbprint
86EE0029EBC8FDCC9F98572602E69F65226BAB76 | FL
Please restart IIS service by running iisreset /noforce from a command prompt window. If the public certificate is configured correctly and has included all namespaces used for all Internal and external Exchange connections,
we can remove the self-signed certificate safely.
Thanks,
Winnie Liang
TechNet Community Support -
RV120W- How to create new unique self-signed certificate?
Hello,
how to create new unique self-signed certificate on RV120W? I can create request for singning by external CA, but I cannot create new unique self-signed certificate itself. Any idea? Did I miss something? Many thanks!
AbudefSo basically RV120W does not support self-signed certificate? It only allows to generate private key and certificate signin request. There is no chance to replace default generic ssl/vpn certifice within router itself? Could you please give me an advice, how to sign that request by some "CA"? I mean no commercial CA, I need something free running under Windows os. Many thanks!
Maybe you are looking for
-
I have seral email accounts on my Mac. One does not work on the Mac but works on my iPad and iPhone. The account information was added on the Mac. I keeps rejecting my password.
-
So my mac book keeps telling me my start up disc is full!!!! help me!!!
ive been getting these pop ups for a wyle now. its starting to really worry me! im not super new to mac. i know that you have to empty the trash. i have also used different types of free programs because i dont want to waist my money on one. they hel
-
Database movement from Hp 11.00 to AIX 5.3 (db version : 8.1.7.3 )
Hi. I need to move a database from HP 11.00 machine to IBM AIX 5.3 machine. the database version is 8.1.7.3. and is around 400gb. Will the normal database cloning work? or what the best method to do it. pls help me in doing this activity. Thanks in a
-
Hidi2c.sys driver missing; throws Event ID 45 from ServerManager-ManagementProvider
At 10-minutes intervals, Event ID 45 from ServerManager-ManagementProvider is appearing in the ServerManager-ManagementProvider log. The event message text is "Failure opening metadata of the owning provider for channel: Microsoft-Windows-SPB-HIDI2C
-
Help needed for badi HRHAP00_COL_ACCESS
Hi based on the Appraisal Status, appraisal sub status and column owner like HR ADMIN, Employee i need to set access level to change, display or change& display. For ex: if Appraisal Status is IN PLANNING.... Column Owner is Employee / HR MAtrix then