ACS Server certificate export

Similar Messages

• Not able to install or generate acs server certificate

  Hi,
  I have one test set-up with one layer 3 switch and one autonomous AP 1131. I have configured one SSID and without any authentication and it was not able to connect successfully.
  But now i want to try enable WPA2 enterprise ( Actually , after checking with the test set up , i am going to implement in live set-up where i have to configure WPA2 enterprise so that i would like to go for testing wpa2 enterprise not wpa2 personal ).
  I have ACS server 3.0 trial version and installed on windows server 2000 and
  on AP 1131 i have configured radius server commands
  ( aaa- new model  and radius server host ... ip address ... key ..... shared secret ... password .. ).
  I am confused with certificate which is required to install on acs server but i am not able to generate the certificate or not able to get the certificate from anywhere in acs server option.
  how to generate acs server certificate in trial version 3.0 and after generating how to install in acs server and what about client ... will it be same certificate which i need to install in cllient PC's and if yes how to add in client pc's and if not , where will i get cllient certificate ,..
  if i buy ACS software which i will be installed windows platform , i will get two certificate ,,,,,,,,, what about acs trial version software .... will i be able to get certificate .......
  i am trying to refer so many documents but it could not help me ..
  Your help will be appreciative.
  Looking for proper information.

  Hi,
  Thanks for your response ....
  obivously , This ACS 3.0 is end of supprt but when i tried to install the acs 4.0 or later , I am not getting an error saying " basic platform should be installed first , that is ACS 3.0 ".
  That is the reason i have gone for this edition .
  Should i go for upgrading the acs 3.0 to 4.1 or later version ?
  if so , will it be possible on trail version ?
  please give me your suggestion.

• Export User-Database between ACS-Server

  Hi everyone ,
  an ACS 2.3 is running under Unix with 3000 based user. The job is, to migrate the user-database to a new ACS-Server under Windows.
  On the unix-version 2.3 there is no way to export the database to external.
  The only way, i hope, is to mirror the old and the new server as redundant server and if the database is mirrored on both server, than the database is ready for export.
  Is this correct?
  Is there an other way?
  Thanks for your input.
  Ralf

  The migration should go to version 3.1 or 3.2 .
  Ralf

• Installing certificate on ACS Server

  i want to install the certificate in acs server, I have taken the option generate certificate signed request. configured all parameters like install ACS certificate, authority setup and trust list. the certificate has been generated and installed on the machine. But when i try to login to system it is working normally with http only. how can i change it to https. please anyone help me.

  Hi,
  To Enable HTTPS for ACS :
  Goto Administration Control -- Access Policy -- SSL Setup -- Use HTTPS Transport
  To Create & Install a Server Certificate:
  System Configuration -- ACS Certificate Setup -- Generate Self Signed Certificate -- Fill in the details -- Select- Install Generated Certificate
  Restart ACS Services under Service Control
  When you try to log into the ACS you would get a warning -- Select Yes
  Tnx,
  somishra

• SSL VPN Failed to validate server certificate (cannot access https)

  Hi all,
  I have the next problem.
  I've configured in an UC520 a SSL VPN.
  I can access properly and I can see the labels, but I only can access urls which are http, not https:
  I can access the default ip of the uc520 (192.168.1.10) but
  When I try to get access to a secure url I get the msg: Failed to validate server certificate
  I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
  Does the certificate of both hardware has to be the same?
  How can I add a https?
  Here is the config of the router:
  webvpn gateway SDM_WEBVPN_GATEWAY_1
  ip address 192.168.1.254 port 443 
  ssl trustpoint TP-self-signed-2977472073
  inservice
  webvpn context SDM_WEBVPN_CONTEXT_1
  secondary-color white
  title-color #CCCC66
  text-color black
  ssl authenticate verify all
  url-list "Intranet"
     heading "Corporate Intranet"
     url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
     url-text "Impresora" url-value "http://192.168.10.100"
     url-text "DMM" url-value "https://pc.sumkio.local:8443"
     url-text "DMM 1" url-value "http://192.168.10.10:8080"
     url-text "UC520" url-value "http://192.168.10.1"
  policy group SDM_WEBVPN_POLICY_1
     url-list "Intranet"
     mask-urls
     svc dns-server primary 192.168.10.250
     svc dns-server secondary 8.8.8.8
  default-group-policy SDM_WEBVPN_POLICY_1
  aaa authentication list sdm_vpn_xauth_ml_1
  gateway SDM_WEBVPN_GATEWAY_1
  max-users 10
  inservice
  Any help would be apreciatted.
  Thank you

  Hi, thanks for your advise.
  I'm trying to copy the certificate via cut and paste, but I'm getting a
  % Error in saving certificate: status = FAIL
  I dont know if I'm doing this right.
  I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
  I get a file which if I open with notepad is like
  -----BEGIN CERTIFICATE-----
  MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV
  KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g
  mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R
  nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=
  -----END CERTIFICATE-----
  If I try to authenticate the trustpoint, I get that error.
  how can I export the certificate from the DMM?
  I think that this file is not the right file.
  and then, do I have to make some changes in
  webvpn gateway SDM_WEBVPN_GATEWAY_1?
  Should I choose the new trustpoint?
  I understand that the old trustpoint is for the outside connection, no for the LAN connection.
  Dont worry about me, answer when you can but I really need to fix this.
  Thank you so much

• Wired 802.1x EAP-TLS Server Certificate Problem

  I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
  If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
  11:48:53.088 Validating the server.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
  11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
  11:48:54.776 The authentication process has failed.
  If I look at the Auth log on ACS (set to full logging) it states:
  AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
  AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
  If I configure the client to not check the servers certificate it all works ok.
  Can anyone tell me why my server certificate is getting rejected?
  Thanks,
  Paul

  If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.

• Java ME SDK 3.0 server certificates problem

  Hi, I'm having a problem using HTTPS connection with the Java ME 3.0 emulator. We have a server certificate from Thawte, but I get
  javax.microedition.pki.CertificateException: Certificate was issued by an unrecognized entitywhen I try connecting to our server with the MIDlet. I have tried importing the server certificate as well as the Thawte root certificates into the keystore in c:\Documents And Settings\<username>\javame-sdk\3.0\work\<id>\appdb\_main.ks and I see the certificates in the Certificate Manager in the emulator, but I still get the exception.
  What am I supposed to do to get the emulator to accept the server certificate?

  Answering myself, I got it working after I exported the Thawte server certificates from Control Panel -> Internet Options -> Content -> Certificates -> Trusted Root Certificate Authorities and then imported them to the MEkeystores.

• PEAP: Enforce that client must verify server certificate

  Hi,
  I have PEAP setup with server certificate. The ACS server is used for radius authentication and cisco wireless access point 1240 series are used in WPA2/AES. In my setup, clients are working fine with or without server certificate verification. how could i enforce that client should verify the server certificate otherwise the wireless not authenticated..
  Regards

  You could to that with an Active Directory policy or something like that.  There isn't anything on the AP or Radius server that can be done.

• Is there a way to generate server certificates in a multi-controller environment?

  Q: Is there a way to generate server certificates in a multi-controller environment? 
  A: 1.  For PEAP, only the Radius Server needs a certificate, not the controller.  Managing a certificate for each controller for 802.1x when you can  alternatively manage a single certificate for each radius server is a mistake.
  2.  For Captive Portal, if you don't want your guest or company users to have an untrusted error every time they hit the captive portal you will need a public certificate that all your users will trust.  That could either involve (1) A  different certificate for each controller with the subject being the fqdn of each controller or (2) a single, identical certificate that has the SAN or Subject ALT Name filled out with the FQDN of each controller listed in the SAN field (https://www.digicert.com/subject-alternative-name.htm)
  Here is an example of a cert with multiple fqdns in the Subject Alternative Name field below:  Of course, you will have to pay for each SAN that you have added to the certificate.  If you will have an environment where you have a VRRP and that is the ip address that the clients will be redirected to, you should make the SAN point to the VRRP.
  A document on certificates that is specifically geared toward ClearPass, instead of controllers is here:  Certificates 101 V1.0  It speaks to certificates on ClearPass, but the concepts are the same...
  Solution:-
  We can use ClearPass server to generate the CSR, where the CN is named after the 1st controller, which included all the Subject Alternate Names (SANs) for the other 3 controllers as well as the master controllers (in case of an N+1 failover).  This allows to save/export the private key as a file.
  After submitting the CSR for a UCC and after receiving the cert,  then proceed to chain the cert to include server, all intermediate and root CAs.  Then copy the chained cert as well as the private key file to a MacBook so that we can use OpenSSL to create a PFX formatted cert as follows:
  sudo openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem
  Once this generated a PFX cert,  upload it to all controllers and used it under Configuration > Management > General for both “WebUI Management Authentication Method” as well as “Captive Portal Certificate” (even though the ClearPass Guest captive portal is using a different cert for the captive portal page itself).
  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/Create-a-CSR-with-multiple-SANs

  Sorry I'm still confused here.  What you are describing makes no sense for properly using TestStand.
  Maybe I can help you find the right solution if I can understand your goal?
  Do you want to dynamically populate the variables (Locals and FileGlobals) with values?  Or do you want to dynamically create the variables from scratch (i.e. add subproperties to the sequence file) based on some file?
  Generally what happens is people want an ASCII file (in your case I'm guessing CVS) such that they can change the values of variable so that when TS is executing it will load those values and use them.  In this case NI recommends the Property Loader.  There is an example for this in <TestStand>\Examples.  Open the workspace and look for the PropertyLoader example.  Also, if you google "proprety loader teststand" then you will find various articles which may assist you.
  When you say "define the variables for the sequence/sequence file"  Are you actually referring to manually right clicking in the sequence file and saying Insert Local?  or are you just saying that you change the value of a variable?
  Thanks,
  jigg
  CTA, CLA
  teststandhelp.com
  ~Will work for kudos and/or BBQ~

• Migrating a server certificate

  Hi,
  I have a server instance running on a Sun ONE Web Server 6.1 installation. I would like to move this site, which includes a VeriSign server certificate, from my WS6.1 installation to my AS7 installation. It appears as though the trust database for WS6.1 is in a cert8.db file, whereas the trust database for AS7 is a cert7.db file.
  Is there an easy way to export this certificate from the cert8.db and import it into the cert7.db?
  Thanks,
  Bill

  In case anyone else needs to do this, I've figured it out.
  1. On the old server, put the appropriate certificate utilities in your PATH:
    LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/sunone61/bin/https/lib
    PATH=$PATH:/opt/sunone61/bin/https/admin/bin2. Export the certificate in pcks#12 format:
    pk12util -d /opt/sunone61/alias -o mydomain.p12 \
         -n 'Server-Cert' -P https-www.mydomain.com-xxx-This will save your certificate in a file named mydomain.p12. Note that the "xxx" will reflect the name of your admin server.
  3. On the new server, change into the new server instance's config directory. Copy the .p12 file created in the previous step into this directory, then run the following command to import it into the CA500 slot:
    pk12util -i mydomain.p12 -d . -h 'nobody@mydomain'This assumes that you have already created the "mydomain" realm in the CA500.
  Good luck!
  Bill

• AnyConnect 3.1 - removing Security Warning: Untrusted VPN Server Certificate!

  Hi guys,
  Is there a way to disable the warning generated from using self signed certs?
  I would like to make the process as seamless as possible.
  AnyConnect 3.1
  ASA 8.4(2)
  Thanks.

  Hi,
  We had problem with the above error message with our certificate when we moved to AnyConnect 3.1
  We were instructed to request a new one
  Also here is the link to Cisco site we were provided that explains the changes in 3.1
  IPSec and SSL connections require server  certificates to contain Key Usage attributes of Digital Signature and  Key Encipherment, as well as an Enhanced Key Usage attribute of Server  Authentication or IKE Intermediate. Note that IPSec server certificates  not containing a Key Usage are considered invalid for all Key Usages,  and similarly an IPSec server certificate not containing an Enhanced Key  Usage is considered invalid for all Enhanced Key Usages.
  Link to document
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp1049936
  Sadly I dont dable with certificates myself so I'm not really familiar with this.
  - Jouni

• How to add a certificate to IIS global "Server Certificates" list using PowerShell?

  Hi, been surfing the web for an example on how to add a certificate to the "global" IIS "Server Certificates" list using PowerShell but to no luck. I already have code in place on how to tie / associate a specific website with a specific cert but not how
  to add the new .cer file using the "Complete Certificate Request..." wizard using PowerShell.... I dont expect the final code to become published but if someone had an idea on howto integrate / get an entry point on where to interact between the "Server Certificate"
  list in IIS and POSH I would be super happy! :|
  I am runnign IIS on a Windows 2008R2 x64 Standard Edition if that helps..... of course, I would saddle for an CLI if there is no other way, but POSH is of course the way to go! :)
  Thanks for the help in advance guys, take care!
  br4tt3

  Hi and thanks for the suggestions!
  Although it comes close, the suggested code example points on howto import / incorporate .pfx files - I am getting fed by .cer files which I need to add into the IIS console using POSH.
  I tried explore the IIS.CertObj object but was not able to work out if this one could be used for importing / adding .cer files into IIS! However, launching the following command from a POSH console with Import-Module Webadministration already
  loaded into that shell;
  $certMgr = New-Object -ComObject IIS.CertObj returns the following error message:
  New-Object : Cannot load COM type IIS.CertObj
  From an IIS perspective I have the following components installed;
  [X] Web Server (IIS)                                    Web-Server
      [X] Web Server                                      Web-WebServer
          [ ] Common HTTP Features                        Web-Common-Http
              [ ] Static Content                          Web-Static-Content
              [ ] Default Document                        Web-Default-Doc
              [ ] Directory Browsing                      Web-Dir-Browsing
              [ ] HTTP Errors                             Web-Http-Errors
              [ ] HTTP Redirection                        Web-Http-Redirect
              [ ] WebDAV Publishing                       Web-DAV-Publishing
          [X] Application Development                     Web-App-Dev
              [ ] ASP.NET                                
  Web-Asp-Net
              [X] .NET Extensibility                      Web-Net-Ext
              [ ] ASP                                    
  Web-ASP
              [ ] CGI                                    
  Web-CGI
              [ ] ISAPI Extensions                        Web-ISAPI-Ext
              [ ] ISAPI Filters                           Web-ISAPI-Filter
              [ ] Server Side Includes                    Web-Includes
          [ ] Health and Diagnostics                      Web-Health
              [ ] HTTP Logging                            Web-Http-Logging
              [ ] Logging Tools                           Web-Log-Libraries
              [ ] Request Monitor                         Web-Request-Monitor
              [ ] Tracing                                
  Web-Http-Tracing
              [ ] Custom Logging                          Web-Custom-Logging
              [ ] ODBC Logging                            Web-ODBC-Logging
          [X] Security                                   
  Web-Security
              [ ] Basic Authentication                    Web-Basic-Auth
              [ ] Windows Authentication                  Web-Windows-Auth
              [ ] Digest Authentication                   Web-Digest-Auth
              [ ] Client Certificate Mapping Authentic... Web-Client-Auth
              [ ] IIS Client Certificate Mapping Authe... Web-Cert-Auth
              [ ] URL Authorization                       Web-Url-Auth
              [X] Request Filtering                       Web-Filtering
              [ ] IP and Domain Restrictions              Web-IP-Security
          [ ] Performance                                 Web-Performance
              [ ] Static Content Compression              Web-Stat-Compression
              [ ] Dynamic Content Compression             Web-Dyn-Compression
      [X] Management Tools                                Web-Mgmt-Tools
          [X] IIS Management Console                      Web-Mgmt-Console
          [X] IIS Management Scripts and Tools            Web-Scripting-Tools
          [ ] Management Service                          Web-Mgmt-Service
          [ ] IIS 6 Management Compatibility              Web-Mgmt-Compat
              [ ] IIS 6 Metabase Compatibility            Web-Metabase
              [ ] IIS 6 WMI Compatibility                 Web-WMI
              [ ] IIS 6 Scripting Tools                   Web-Lgcy-Scripting
              [ ] IIS 6 Management Console                Web-Lgcy-Mgmt-Console
      [X] FTP Server                                      Web-Ftp-Server
          [X] FTP Service                                 Web-Ftp-Service
          [X] FTP Extensibility                           Web-Ftp-Ext
      [ ] IIS Hostable Web Core                           Web-WHC
  More or less the one thing that I am trying to get up and running is an automated FTPS solution - I just use the IIS console to be able to troubleshoot / compare how things scripted from POSH interacts in the MMC representation. The error I am getting
  might be that I am lacking some IIS components to be in place to be able to automate some parts of the IIS - as suggested by the IIS.CertObj object listed in the example..... I will get back if I can track down which component needs to be added to be
  able to reference the IIS.CertObj object.
  Br4tt3 signing out...
  br4tt3

• How do I create a default account with an ACS Server

  Has anyone seen this. I have an ACS Solution engine appliance with Several devices using it for authentication and accounting. It all seems to work great.
  When I add a new device (router or switch) i noticed that it will let me login via the acs based authentication even before i even setup the aaa-client account for this device in the acs appliance. I do have the tacacs key and all the appropriate information on the router or switch but i dont have an entry for it in the acs appliance yet. This has puzzled me Where is this default account setup. I have another ACS server (Windows Based) It seems to have a completely different behavior when it encounters an unconfigured AAA-client compared to the ACS Appliance. Can anyone tell me how to configure the ACS server to do the same and where these configuration options exist?
  This really concerns me from a security perspective.

  Hmm, ACS should not (by default) accept traffic from any old device.
  Could it be you have a wild-card IP Addr in your ACS network config somewhere that accidentally includes the new device?
  Or possibly a DNS name (instead of an IP Addr) that resolves to the address of the new device?
  Try changing the shared secret in the device - you should find you get errors in the Failed Attempts Log.
  Also check the Passed Authenications report as this included the ACS network config device name in the Access-Device column.

• How can I make Firefox trust a Server Certificate by Default?

  I'm trying to distribute Firefox via Empirum. All settings are made using the CCK-Wizard Addon.
  When I import our Certificates in CCK-Wizard, I can make trust-settings for CA's, but not for Server Certificates, and so the SC isn't trusted by default.
  Is there any way to make the trust Settings for SC's in the install package, maybe through an option in about:config (didn't find any, but maybe somebody knows more than google :P )?
  I tried to do it like PRF_1 suggested here https://support.mozilla.org/de/questions/687296#answer-112220 but in the last step I got an Error 1: C compiler cannot create executables.
  Regards,
  Bowser

  Hello,
  '''Try Firefox Safe Mode''' to see if the problem goes away. Safe Mode is a troubleshooting mode, which disables most add-ons.
  ''(If you're not using it, switch to the Default theme.)''
  * On Windows you can open Firefox 4.0+ in Safe Mode by holding the '''Shift''' key when you open the Firefox desktop or Start menu shortcut.
  * On Mac you can open Firefox 4.0+ in Safe Mode by holding the '''option''' key while starting Firefox.
  * On Linux you can open Firefox 4.0+ in Safe Mode by quitting Firefox and then going to your Terminal and running: firefox -safe-mode (you may need to specify the Firefox installation path e.g. /usr/lib/firefox)
  * Or open the Help menu and click on the '''Restart with Add-ons Disabled...''' menu item while Firefox is running.
  [[Image:FirefoxSafeMode|width=520]]
  ''Once you get the pop-up, just select "'Start in Safe Mode"''
  [[Image:Safe Mode Fx 15 - Win]]
  '''''If the issue is not present in Firefox Safe Mode''''', your problem is probably caused by an extension, and you need to figure out which one. Please follow the [[Troubleshooting extensions and themes]] article for that.
  ''To exit the Firefox Safe Mode, just close Firefox and wait a few seconds before opening Firefox for normal use again.''
  ''When you figure out what's causing your issues, please let us know. It might help other users who have the same problem.''
  Thank you.

• How enable read only access for ACS server itself

  Hi,
  We would like to know whether its possible to create a read only access to the ACS server. Currenlty ACS server has a generic login with full admin rights.
  We need to create a login to couple of users to log into ACS to check the "Report and Activity" tab. Access to all other tabs should be disabled.
  We are using ACS4.0 verison. Please let me know whether its possible.
  Thanks
  Nachi

  Hi,alexchy8
  We can make use of 2 PowerShell commands to achieve this goal.
  Add-MailboxPermission and Add-MailboxFolderPermission.
  Execute the Add-MailboxPermission command to delegate the read permission at mailbox level.
  Execute the Add-MailboxFolderPermission command to delegate the required permissions on specific folders inside the mailbox.
  You can read the following article as reference:
  http://www.exchangedictionary.com/articles/assign-read-only-mailbox-permission-on-exchange-2010-2013-powershell
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety,
  or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best Regards.