ACS - Verisign Cert - PEAP Auth - XP Clients

Hi
I am hoping to implement PEAP using a server certificate on ACS generated from a real CA like Verisign/Thawte etc to prevent having to distribute an internal root CA certificate to all clients.
I have discovered that Verisign provide a WLAN Auth certificate product , but this appears to be specificlly for IAS.
Does anybody know whether I can just generate a certificate reest from the ACS box and use any certificate , or is there a particular type I need?
Any help would be much appreciated!
Thanks
Leon

CTA can be configured to perform machine authentication using certificates provided that the 802.1x Wired Client has been installed.Refer http://cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870ac.html for more information.

Similar Messages

  • Testing Windows 8 Consumer Preview with ACS 5.2 PEAP auth

    We are deploying ACS 5.2 to replace our ACS 4.2 in production.  I have two wireless networks setup as WPA2-Enterprise.  One points at the ACS 4.2 and the other at the ACS 5.2.  Both use the same SSL certificate with the same CN.  Both authenticate Windows 7 clients.  However, Windows 8 CP will only authenticate to the ACS 4.2 and not to ACS 5.2.  The error it gives is:
    11051 Radius packet contains invalid state attribute
    It also shows no authentication method (most of the time).
    Occasionally, I get a request that actually shows an authentication method of PEAP (EAP-MSCHAPv2) which is what it should be.  On those requests, I get error:
    24444 Active Directory operation has failed because of an unspecified error in the ACS.
    Both ACs 4.2 and ACS 5.2 are pointed at the same Windows AD source.
    Anyone have any ideas?  Is there any other information I can provide to help troubleshoot?  I know Windows 8 is not even out yet.  But, it would be nice to have it working.
    Thanks!
    Jodie

    Thanks Tarik!  I appreciate the detailed steps to collect the information to help troubleshoot this issue.
    Here are the logs requested:
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute executing request 'ping' in thread 3029719968
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute executing request 'MS-RPC user authentication' in thread 3054898080
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute I:IPCClient1::doNetLogonSamLogon - user=SH-HIS\jcrouch
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG base.adagent Find GUID: fa61e77fbfc98044b7153bf5abc9fd78 (7)
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG com.centrify.smb.smbserver SMB Connect to server sh-dc03.shv.lsuhsc-s.edu
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG base.adagent Domain Level for '' is not PreW2K8
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.LSUHSC-S._sites.SHV.LSUHSC-S.EDU
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindFromDns(0): _kerberos._tcp.LSUHSC-S._sites.SHV.LSUHSC-S.EDU
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.SHV.LSUHSC-S.EDU
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindFromDns(0): _kerberos._tcp.SHV.LSUHSC-S.EDU
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.controllers Updated controller info: last update = Wed May  2 08:01:16 2012, siteName = 'LSUHSC-S', m_serviceType = KDC, domain = 'SHV.LSUHSC-S.EDU', site list = (sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88), inferior list = (afm-dc01.shv.lsuhsc-s.edu:88)
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG base.osutil Module=Kerberos : initSecurityContext - gss_init_sec_context failed (reference ../smb/utils/gsskerberos.cpp:198 rc: -1765328352)
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG smb.rpc.schannel SecureChannel::close: m_fh=0x0
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG com.centrify.smb.smbserver SMB disconnect from server sh-dc03.shv.lsuhsc-s.edu
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute O:IPCClient1::netLogonSamLogon - user=SH-HIS\jcrouch (ntStatus=0xc0000001)
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG daemon.main now = Wed May  2 08:16:46 2012, nextPasswordChange: Wed May  2 08:50:46 2012, lastKrb5ConfUpdate: Thu Jan  1 00:00:00 1970, lastKrb5Renew: Wed May  2 08:03:16 2012, lastBindingRefresh: Wed May  2 08:16:16 2012, lastCacheCleanup: Wed May  2 08:16:16 2012, lastPrevalidate: Wed May  2 08:03:16 2012, lastChkDatadir: Wed May  2 08:12:46 2012, lastAzmanRefresh: Wed May  2 08:15:16 2012
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing trying unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu(GC)
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent (re)acquiring Init credentials
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers acquiring machine credentials
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Using keytab WRFILE:/etc/krb5.keytab
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent Domain Level for '' is not PreW2K8
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 last message repeated 3 times
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 18) is not supported by KDC. Try next in the list
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 17) is not supported by KDC. Try next in the list
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 23) is not supported by KDC. Try next in the list
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 last message repeated 3 times
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.osutil Module=Kerberos : KDC refused skey: Clock skew too great (reference base/adhelpers.cpp:215 rc: -1765328347)
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.cache postStart/getInitCreds threw: KDC refused skey: Clock skew too great
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu(GC) failed: KDC refused skey: Clock skew too great
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing trying unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent (re)acquiring Init credentials
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers acquiring machine credentials
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Using keytab WRFILE:/etc/krb5.keytab
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent Domain Level for '' is not PreW2K8
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 last message repeated 3 times
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 18) is not supported by KDC. Try next in the list
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 17) is not supported by KDC. Try next in the list
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 23) is not supported by KDC. Try next in the list
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 last message repeated 3 times
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.osutil Module=Kerberos : KDC refused skey: Clock skew too great (reference base/adhelpers.cpp:215 rc: -1765328347)
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.cache postStart/getInitCreds threw: KDC refused skey: Clock skew too great
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu failed: KDC refused skey: Clock skew too great
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo start updateDomainInfoMap
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo Using existing search marker
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: LSUHSC-S.EDU <-> LSUHSC-S
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: SHV.LSUHSC-S.EDU <-> SH-HIS
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: EAC.LSUHSC-S.EDU <-> LSUMC-EAC
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: LSUHSC.EDU <-> LSUHSC
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: MASTER.LSUHSC.EDU <-> LSUMC-MASTER
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo Using domainInfoMap from cache, it was not expired  (size=5)
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo DC=lsuhsc-s,DC=edu
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = LSUHSC-S.EDU
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-4197722968-216021789-2322446462
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x20
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 3
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = LSUHSC-S
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = YES
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo DC=shv,DC=lsuhsc-s,DC=edu
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = SHV.LSUHSC-S.EDU
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-341470825-1660045691-689510791
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x20
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 3
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = SH-HIS
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = YES
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo DC=eac,DC=lsuhsc-s,DC=edu
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = EAC.LSUHSC-S.EDU
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-1451108202-1290631035-623647154
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x20
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 3
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = LSUMC-EAC
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = YES
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo CN=lsuhsc.edu,CN=System,DC=lsuhsc-s,DC=edu
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = LSUHSC.EDU
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-2419512895-2621689230-2851238096
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x8
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 3
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = LSUHSC
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = NO
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo CN=master.lsuhsc.edu,CN=System,DC=shv,DC=lsuhsc-s,DC=edu
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = MASTER.LSUHSC.EDU
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-2113824390-172908180-308554878
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x4
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 2
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = LSUMC-MASTER
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = NO
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG util.except (TryAgain) : start up not complete (reference base/adagent.cpp:2201 rc: 0)
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG daemon.main Delay /etc/krb5.conf update, start up not complete
    May  2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[357] [daemon]: obtained repos-mgr lock
    May  2 08:16:59 sh-netacs2 debugd[2553]: [8075]: config:repository: rm_repos_cfg.c[251] [daemon]: scanning the tmp dir
    May  2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[371] [daemon]: released repos-mgr lock
    May  2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[357] [daemon]: obtained repos-mgr lock
    May  2 08:16:59 sh-netacs2 debugd[2553]: [8075]: config:repository: rm_repos_cfg.c[251] [daemon]: scanning the tmp dir
    May  2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[371] [daemon]: released repos-mgr lock

  • ACS SE w/ Verisign Cert

    I am using the CAS as an authenication server against AD for my wireless network. I have a WISM as my WLC and some of my users are getting a certifate error when I enable WPA. The error is coming from the ACS. I get an invalid cert error or cert not verified from the Iphone. The certificate is valid and I installed a intemediate CA. No matter what I try i can't get the error to go away.
    Could some please assist?
    Thanks
    mike

    I am using PEAP with MSCHAP. From the IPhone I am getting the cert is not verified, When I use the IntelPro supplicant on a Laptop, it refuses to log on even though I select use "any trusted CA". I called Cisco TAC and they say I have to install the cert on all my computer, I don't believe that is correct. I am using a Verisign cert and so should already be on my computers.
    Internet explorer is not having an issue with the cert, the dell wireless WLAN client does not have a problem either.
    Mike

  • ACS 4.1 PEAP using public signed certificate (verisign)

    Hi,
    Could you give me some advice about the PEAP implementation with ACS server. I undestand that self-signed certificate should work well but I have this thoughts. The self signed certificate is valid for 1 year and after this period a new self-signed certificate has to be created. What should be the impact on the wireless users at this point? What I undestand is that the new certificate should be also imported to the clients so they can validate the server certificate. If that is correct (not sure though) this will bring huge amount of work when the certificate is expired and having hurderds of wireless clients.
    Is it possible (and what are the requirements of the certificate itself) to install any publicly signed certificate like Verisign's one to the ACS for the PEAP process? Will that ease the workload when the certificate has to be renewed? I  assume that any windows machine for example, has by default trusted root certificates - Verisign in its store and no further interaction should be needed on the client side.
    kind regards
    Boris

    hi there ..
    First we need to understand why a cert is importnat. A cert is used to create a tunnel that allows the wireless client to send their logon in a secure fashion. So if you could image a tunnel over wireless/wired between your client and the radius server.
    The idea of trusting the cert is SPECIFIC to the wireless client . You can choose to TRUST the cert or NOT. Totally client independent. Why this is important, suppose for a moment that someone comes into your place of business and broadcast from their AP your SSID. Your clients could attach to this AP. And suppose the run FREERADIUS on a small box. From this radius server this person sends a BOGUS cert. If you client isnt trusting the correct cert or not trusting ANY, your client will accept the bogus cert, build a TLS tunnel, and send their logon.
    Can you get a signed cert. Yes, most folks do as it eases deployment. Or if you have a PKI you can push your own cert.
    Also, note you can have your client really analyze the cert and only trust specific certs and cert common namesl exmaple ACS01-ABC.
    I hope this helps ..
    Please support the rating system if you find any of this helpful!

  • FYI. Verisign Cert & ACS

    for those who have troubles getting verisign cert working on the ACS box, i just spoke to a verisign tech support after facing issues with certs. He mentioned that when generating a CSR on ACS, it generates extra info that are not compatible with verisign. Verisign is working on the issue, it is expected to be rectified soon (in a day or two). The tech support refused to give me further info about what version of ACS causing the issue or so... I'm using ACS3.3 at the moment.

    I've installed a Verisign cert on the ACS with minimal difficulty, but it does take a couple of extra steps.
    When generating the cert request on the ACS, you have to enter the complete identification path in the Common Name field of the form. i.e., instead of just cn=Ciscoacs, you have to enter c=US,s=Florida,l=KeyWest,o=TheShirtShack,ou=Accounting,cn=Ciscoacs all on the same line.
    Also, if the certificate file format that Verisign sends back is not recognized by the ACS, you can import it into your web browser and then re-export it in the correct format (DER .509 if I recall correctly) and then upload the reformatted cert to the ACS.
    It works fine after all that =)

  • Cisco ACS 5.1 Machine Auth Problem

    Hi All,
    I have a query regarding ACS 5.1 using EAP-PEAP (machine auth plus user name and password). I have successfully setup AD authentication using Machine auth and user credentials and this works ok for corporate wireless devices and users.
    My ACS rules are machine auth against AD computers which gives a positive/pass, then a rule against user but ensuring the device is a valid domain device with "was machine authenticated = TRUE".
    The problem is when using a Windows 7 device (laptop) and logging in using the local admin account I successfully connect to the network but the local Admin account is not in AD. By default the W7 wireless adapter under security>advanced settings> specify authentication mode is computer authentication only.The W7 client doesn't send over any user credentials?
    Has anyone come across this problem before? Do I need to tweek the W7 clients via GP or is there a way of stopping just machine authentication with out a valid user name and password?
    Realy appreciate any responses and thank you in advance. 
    Jason

    check out
    http://technet.microsoft.com/en-us/library/dd759219.aspx

  • Non-Verisign certs in WS7

    Hello,
    I have a mix of server certificates from Verisign and Network Solutions CAs. Both types are stored in my Crypto accelerator (hardware token), from where I've been using them for WS6 and AS7 instances.
    In WS7, the Certificates tab in the admin interface shows certs of both types and the token that they are contained within. When I attempt to configure a listener with SSL enabled, the Certificate field has two types, "RSA Certificates" and "ECC Certificates". The latter says "No ECC Certificates Available", and the pick-list for the RSA Certificates only lists the Verisign certificates.
    For a server that I migrated from an older version (WS6.1), the server.xml lists the correct server-cert-nickname value for a NetSol cert, and indeed, the cert is properly loaded and the listener starts up fine using that certificate.
    Why is it that my NetSol certs don't show up in the admin interface? I can hack the server.xml file in vi to use the correct certs, but I'm thinking there should be a way that I can access these other certs with the admin interface.
    Thanks,
    Bill

    Output of wadm list-certs --verbose -all:
    nickname        issuer-name     expiry-date
    [email protected]:Server-Cert      Network Solutions Certificate Authority May 19, 2007 6:59:59 PMThere is no -h option to certutil -L:
    certutil -L [-n cert-name] [-X] [-d certdir] [-P dbprefix] [-r] [-a]However, if I export it from the hardware token using pk12util then import it into the internal token, I can view the details:
    # pk12util -o xxx -d . -n [email protected]:Server-Cert  
    Enter Password or Pin for "NSS Certificate DB":
    Enter Password or Pin for "[email protected]":
    Enter password for PKCS12 file:
    Re-enter password:
    pk12util: PKCS12 EXPORT SUCCESSFUL
    # pk12util -i xxx -d $PWD
    Enter Password or Pin for "NSS Certificate DB":
    Enter password for PKCS12 file:
    pk12util: PKCS12 IMPORT SUCCESSFUL
    # certutil -L -d .   
    Network Solutions Certificate Authority - GTE Corporation    c,, 
    Server-Cert                                                  u,u,u
    # certutil -L -d . -n Server-Cert
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                28:f5:87:82:b0:65:ff:58:08:63:b5:0e:69:07:ea:6d
            Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
            Issuer: "CN=Network Solutions Certificate Authority,O=Network Solutio
                ns L.L.C.,C=US"
            Validity:
                Not Before: Fri May 19 00:00:00 2006
                Not After : Sat May 19 23:59:59 2007
            Subject: "CN=*.qisc.com,OU=Secure Link SSL Wildcard,O="Quixote Intern
                et Services & Consulting, Inc.",L=Chippewa Falls,ST=Wisconsin,C=U
                S"
            Subject Public Key Info:
                Public Key Algorithm: PKCS #1 RSA Encryption
                RSA Public Key:
                    Modulus:
                        c4:87:81:66:77:99:c5:8e:f1:59:ff:59:c6:38:63:5a:
                        46:31:8e:13:38:5e:2e:71:d7:22:38:5b:df:c4:47:e9:
                        d3:c3:ff:52:3a:5b:21:c1:b5:01:0a:ec:81:3d:80:b4:
                        39:74:6a:7d:39:63:e1:06:a4:f1:45:cf:43:8d:6a:79:
                        49:4e:d9:22:d2:8f:08:6e:23:87:e3:14:7f:aa:c7:8f:
                        df:d7:d0:e1:e0:7e:1c:d7:64:d0:43:94:19:06:7d:48:
                        82:6f:e3:e1:05:69:cc:42:67:9f:db:e5:c7:6e:11:7a:
                        10:94:6c:95:f0:1e:5c:36:93:37:09:ea:b4:0d:4e:6f
                    Exponent: 65537 (0x10001)
    (stuff deleted for brevity - let me know if you need to see all of this output)Hmmm...this is interesting...after importing the cert from the hardware token into the internal certificate database, it now shows up as "Server-Cert" in the RSA Certificates list of the SSL->Edit HTTP Listener admin page. So it only shows certs from the hardware token when they are Verisign certs, even though the NetSol certs work just fine when they are stored in the internal database. This is NOT a work-around, however, as this defeats the purpose of having the crypto accelerator.
    BTW, I also sent a note to NetSol's support people, and they had this thought:
    As we use an intermediate, that could be the reason why they are not listed.
    Without the intermediate it will not find a chain to the trusted root.
    We would recommend contacting the software provider for details on
    importing the intermediate into the application server.I have already tried importing their certificates into the internal token, but that had no effect on this problem. Do I need to import their intermediate certs into the hardware token, rather than the internal one? If so, how do I do that? Or do I need to install these intermediate certs in the admin server's internal database, rather than my server instance's database?
    On the assumption that these intermediate certs were needed in the admin server's internal database, I used certutil to load them to see if that would help:
    # certutil -A -n 'AddTrust External Root' -t 'CT,C,C' \
    -d . -a -i /tmp/certs/AddTrustExternalCARoot.crt
    # certutil -A -n 'UTN-USERFirst-Hardware - AddTrust AB' -t 'c,,' \
    -d . -a -i /tmp/certs/UTNAddTrustServer_CA.crt
    # certutil -A -n 'Network Solutions Certificate Authority - GTE Corporation' -t 'c,,' \
    -d . -a -i /tmp/certs/NetworkSolutions_CA.crt
    # certutil -L -d .                                                                                     
    Admin-Server-Cert                                            u,u,u
    Admin-Client-Cert                                            u,u,u
    AddTrust External Root                                       CT,C,C
    UTN-USERFirst-Hardware - AddTrust AB                         c,, 
    Network Solutions Certificate Authority - GTE Corporation    c,, 
    Admin-CA-Cert                                                CTu,u,uHowever, after stopping and restarting the admin server, I still do not see my token-resident certs in the admin interface.
    Let me know what you'd like to see next.
    Thanks,
    Bill

  • Two-Way SSL does not work until "Use Server Certs" is selected on client

    We have a web service application and a client application. Both applications are deployed in WebLogic 10.3. The web service application is secured by Two-Way SSL. When the client attempts to access the service, we got the following error logs on the server side:
    <Dec 8, 2009 3:25:42 PM EST> <Warning> <Security> <BEA-090508> <Certificate chain received from ... was incomplete.>
    CertPathTrustManagerUtils.certificateCallback: certPathValStype = 0
    CertPathTrustManagerUtils.certificateCallback: validateErr = 4
    CertPathTrustManagerUtils.certificateCallback: returning false because of built-in SSL validation errors
    We got the same error even if the WebLogic 10.3 domain on the client side uses the same identity and trust keystores as the server side.
    The problem was solved when we selected Environment -> Servers -> <server> -> SSL, expanded "Advanced" and selected "Use Server Certs". Could anyone tell me what "Use Server Certs" does to make the difference?
    Another question is how we can invoke this web service in a Java application since "Use Server Certs" solution only works for web application deployed in weblogic.

    "Use Server Certs" means that a client application running within Weblogic will use the WL managed server's identity certificate as its client certificate. Otherwise, the client application is responsible for selecting the keystore, and presenting the certificate as part of the handshake.
    This is a great feature in 9 & 10; client SSL was much more difficult in WL 8.
    If you are using a standalone client application to invoke anything over 2-way SSL, you are responsible for presenting the certificate. For instance, if you invoke the page from your browser, your browser can maintain client certificates and you'll get a popup to select which cert to use.

  • Is verisign cert "multi purpose"?

    If i get a certificate from thawte, I can get the multi-purpose authenticode cert, export it from IE, import it into netscape and be able to sign netscape objects as well as CAB files.
    Can I do the same thing with the verisign cert? Verisign doesn't talk about this on their website, but maybe they just want people to pay $800 instead of $400? Just curious if anyone has tried this. If you have tried it, let me know.
    (before anyone asks, yes, I would love to go with thawte, and have in the past, but my organization has recently made the decision that thawte is no longer an option, so I have to go with verisign)
    Thanks!
    Kirby

    To fully answer my own question,
    I got a verisign authenticode certificate, and was not able to export it in pk12 format that is necessary for netscape to be able to import it.
    I've got a verisign netscape cert on order that I am pretty sure will work for netscape and the java plugins/webstart, as has been mentioned.
    Re: my company's decision. With the disclaimer fully in effect that I'm not in a position of power and am just a programmer wanting a certificate and thus might not have all of the facts or even the correct facts on the issues at hand... From what I understood, thawte got quite a bit more restrictive on where the private key could be stored. From what I understand, the private keys would have to be stored in a central location for the entire organization which wasn't reasonable for our size of 5 - 10,000 as it would have caused undue hardship on the gatekeepers as well as people actually wanting something signed. Verisign apparently didn't have the same strictness.

  • Auth via client SSL cert problem

    web server:iPlanet-WebServer-Enterprise/6.0SP2 B11/13/2001 00:49
    Am trying to setup ACL's to allow only certain clients access to web server via client side certificates.
    The LDAP entry does NOT have a "uid" attribute for the user's entry.
    Snooping show me that the LDAP server is returning the correct LDAP entry. Web server says "get_auth_user_ssl: unable to map cert to LDAP entry. Reason: ldap entry is missing the 'uid' attribute value"
    ACL files looks like
    version 3.0;
    acl "default";
    authenticate (user, group) {
    prompt = "foobar";
    method = "ssl";
    allow (read, list, execute,info) user = "*happy*" ;
    allow (write, delete) user = "all";
    Client cert CN looks like
    CN=happy.fmr.com test happy.fmr.com, OU=B2B, OU=Applications, O=FMR Co
    rp., C=US
    Any suggestions on how to allow only a user whose client CN contains a certain word? Also anyway to increse the debug level in the error logs, I know 6.1 can do more but we are limited to using 6.0
    Thanks
    Ashish

    Hi Faisal -- thanks for your reply. We had an offline chat where you said:
    >>>>>>>>
    These are the steps that u can follow
    Configure Weblogic Server for 2-way SSL
    mydomain> Servers> myserver>Keystores & SSL > Advanced Options
    Hostname Verification: None
    Two Way Client Cert Behavior: Client Certs Requested but not enforced
    mydomain> Domain Wide Security Settings> Realms> myrealm> Authentication Providers> DefaultIdentityAsserter
    Trusted Client Principals: provide CN of the Client Certificate
    Types: X509
    Details:
    Use Default User Name Mapper: Checked
    Default User Name Mapper Attribute Type: CN
    Base64Decoding Required: Checked
    Go the security realm and create a user wih the username as CN of the certificate
    Dont forget to Import the client cert's root CA in the trust store of WLS.
    If you still face issues, enable SSL Debug, securityATN debug and mail me the log file.
    <<<<<<
    I think there are a few minor config differences and I may have a different version of WLS to you -- the DefaultIdentityAsserter did not contain some of the fields you refer to. Instead I have an LDAPX509IdentityAsserter at the top of the Providers list, and I have made the changes there. My Providers list is:
    - LDAPX509IdentityAsserter
    - ActiveDirectory
    - DefaultAuthentictor
    - DefaultIdentityAsserter
    I suspect you might be thinking I don't have two-way SSL working at all, but I do, and that's not my question. I can successfully validate a client based on SSL certificate so all the trust stores etc are correct. My question is what happens when there is no client certificate presented by the client -- I want it to fall through to Basic authentication. The ActiveDirectory provider has a Control Flag="SUFFICIENT" setting and I was expecting the X.509 one to have a similar flag, but it doesn't. What controls whether the X.509 provider is REQUIRED/REQUISITE/SUFFICIENT/OPTIONAL in the chain, like the Active Directory one?
    Thanks for your time.
    -- Ben.

  • Zebra QL420 Printer using PEAP (Verisign Certs)

    Hi,
    Has anybody been able to successfully get a Zebra printer QL420 Plus connected to Cisco LWAPP/CAPWAP APs ?
    We are using WPA2 - PEAP with Verisign Signed Server Certificate.

    Yes I have the QL420 + printers working with 5508 WLC and 3502E CAPWAP APs and PEAP
    Fotis - You will most likely find the reason for the slow ping resonce is down to the setting for "Power Mode". You likely have it set to "best". This setting controls how long the device "sleeps" before it awakens and downloads queued traffic from and AP. Setting it to "off" will put the device in to CAM (Constantly Awake Mode). This means that the device never switches its radio card off and never allows traffic to be queued on an AP. However this will mean that the drain on the devices battery will be much greater, I believe there is a slidding scale of settings for this device that go in order of highest battery drain as follows:
    Best
    1
    2
    3
    4
    off
    Off will give you the best performance with maximum battery drain. play with the settings and see which gives best performance/batery drain balance.
    Regards
    Simon

  • Verisign CERT Root Changw

    Verisign as of Oct. 10th has change the root ca they sign CERTS with. Our 802.1x supplicants are configured to trust only the older Class 3 Public Primary root that is part of widows. Is there any way to configure the ACS box to support the older root as reconfiguring all the supplicants is a non-trivial task. I wondered if there was a way to create a self-signed CERT to act as the root? Has anyone had this problem? Thanks

    Bruce,
    ACS can genrate self sign certificate but this will only work when client do not validate server certificate. If validation is required in your setup then self sign cert wont help.
    If installing cert on each client is feasable then configured not to validate server cert then your current set up will work fine.
    Regards,
    ~JG
    Do rate helpful posts

  • ACS 3.3.4 with Linux client

    I've got some problems with a Linux wireless network connection. NetworkManager is installed on the Linux laptop. PEAP profile is created.
    When the default Character String in ACS points to "Self" or his own IP adress, the Linux client can authenticate and succesfully log in to the wireless network.
    When the default "Character String" is set to an extended RADIUS server, the client cannot login anymore. I created a new "Character String" that contains the @domain.local suffix. It is not working. Same problem for a Nokia (Symbian) cellphone.
    What can it be ?

    ACS 3.0(4) is only supported on Windows 2000/NT and not 2003

  • PEAP: Enforce that client must verify server certificate

    Hi,
    I have PEAP setup with server certificate. The ACS server is used for radius authentication and cisco wireless access point 1240 series are used in WPA2/AES. In my setup, clients are working fine with or without server certificate verification. how could i enforce that client should verify the server certificate otherwise the wireless not authenticated..
    Regards

    You could to that with an Active Directory policy or something like that.  There isn't anything on the AP or Radius server that can be done.

  • ACS v4.1 PEAP and MAC Address Validation

    I would like to authenticate to a ACS server via both 802.1x (PEAP) and to also validate the MAC Address of the user. Can both of these be done? I have 802.1x (PEAP) working to the ACS and Active Directory but now I would like to add the MAC Address of the laptops. Can I use Network Access Profiles and add the MAC-address under MAC-Authentication bypass?
    Your assistance is appreciated.

    I seem to have figured my way out of this. The reason for the short dot1x timer is that we are using MAB to authenticate the client MAC, so we actually WANT the dot1x authentication to timeout as quickly as possible for the secondary (MAB) authentication to execute.
    I'm also suffering from the age-old problem of interpreting the logic of a config originally implemented by someone else. I'm wondering if all the dot1x commands we have are actually necessary in our situation.
    What I have found when comparing new switches to old is that on the 3750s, show authentication sessions for an interface only shows mab as a runnable method, while on the 3850s it lists dot1x, mab and webauth (in that order). Using authentication order mab and authentication priority mab on an interface of the 3850 seems to do the trick. With debug mab turned on you can see the mab authentication working and the switch then allows the interface to pass traffic. Just as importantly, it blocks the port if I try using a client whose MAC is not in the ACS database.
    Appreciate your help.

Maybe you are looking for