Certificate issues in ACS 4.0 for Windows

Similar Messages

• CA and Certificate Issue in ACS 4.0 For Windows 2003 Enterprise Server

  Hi,
  I have configured Microsoft CA server on the same ACS 4.0 for Windows 2003 enterprise server which was configured earlier using the self generated certificates for EAP and PEAP authentications.
  After I change the certificate from self generated to the new CA certificate that can be viewed under install ACS certificate option on ACS server but having the following problems
  1. SSL is not functioning while internet browser access to the ACS server and going through http instead of https.
  2. Wireless clients are authenticated successfully even after the certificate is uninstalled.
  Any help on these problems will be appreciated.
  Thanks
  Best Regards,
  Ahmed

  Hi Rohit,
  Thanks for reminding the HTTPS option under Administration Control on ACS.
  I have some doubts pertaining to installation of certificates on Wireless clients though it is optional for Self Generated Certificates but what in case of Mirosoft CA as I tested wireless client authentications even after removing the certificate from microsoft supplicant WindowsXP SP2 having installed the patch KB885453 for PEAP. How the certificate on wireless client works.
  Is it mandatory or optional to keep certificate on Wireless Clients as they could able to get authenticated through ACS after removing the certificate.
  Thanks
  Best Regards,
  Ahmed

• CA certificate issue in ACS 4.0 for Windows

  Hi,
  How to generate lost private key .pvk file on ACS which is also configured as CA Server, As I would like to register all the available ACS's Servers to CA Server using the same certificate from CA Server. Need a step wise procedure on obtaining certificate from ACS CA server.
  your kind response will be of great help.
  Thanks in advance
  Best Regards,
  Ahmed

  Windows Server 2003 with SP1, Enterprise Edition, is used so that auto-enrollment of user and workstation certificates for EAP-TLS authentication can be configured. This is described in the EAP-TLS Authentication section of this document. Certificate auto-enrollment and auto-renewal make it easier to deploy certificates and improve security by automatically expiring and renewing certificates.

• Self Generated certificate validity issue in ACS 4.0 for Windows

  Hi,
  Is there any solution to extend the validity time of self generated certificate on ACS, by default the validity is set for one year.
  As the server certificate on one of the ACS which is CA has expired and need to renew it.
  Is it possible only one certificate from third party can be used both as a server certificate and certificate from CA for other ACS servers.
  Thanks in Advance
  Regards,
  Ahmed

  Other solution would be to create an in house(Microsoft probably) CA, and get a certificate for your ACS server. Go through the installation steps of Microsoft CA before, as the validity date for Server Certificate(i guess) is configured during initial install of CA.
  Regards,
  Prem

• Directory Caching issue with Cisco Jabber client for Windows

  Hi ,
  I am facing cache issue with Cisco Jabber client for Windows. If I do any change related to modification or deletion of contacts in Active Directory/ Callmanager, it does not reflect in the Jabber. Because jabber takes the contacts from the locally stored cache file in the Windows system.
  Every time I have to remove the cache file to overcome this issue, practically it's not possible to do the same with all the Widows users. As, if any employee leaves the company and still I can see his contact appears in the "Cisco Jabber client". I have not seen this issue with Android/Apple iOS.
  Is there any automated way to remove the cache file? 
  Here is the detail of CUCM,Presence and Jabber.
  CUCM version: 9.1.x
  Presence          : 9.1.X
  Jabber              : 10.5 and 10.6

  Hello
  On our environment we had to install a dedicated Microsoft Certificate Authority "just for Cisco Jabber usage" to house the
  Network Device Enrollment Service.
  Our certificate for the CUPS were generated on this Certification Authority too.
  I discussed this certificate matter with my colleagues this afternoon and nobody seems to remember how these certificates were deployed into the
  Enterprise Trust store for the users.
  But I think they asked all 400 users to accept the 3 certificates by answering "yes" to the popup instead of using a script deployed by GPO...
  I wish you success with that deployment and really hope you have a technical partner that *Knows* this subject.
  Our partner left us alone with that unfortunately.
  Florent
  EDIT: If the "Certutil script method" works, please let me know. This could be useful in our own deployment.

• ACS 3.2 for Windows and MS Windows AD Directory Integration Problem

  Dear all,
  We have some issues while integrating Windows AD with ACS 3.2 for Windows.Currently we have done the following:
  1. Installed ACS 3.2 for Windows on Windows 2003 Enterprise with SP1
  2. ACS and Domain Controller are configured on the same server
  Checked and verified the following configurations
  1. created a domain user "csacs" selected Act as a part of operating system and log on as a service enabled for this user.
  2. Enabled all the CS services to log on as a user csacs.
  But I noticed CS services are not respdonding and gives the error as "Could not able to start the service with service specific error ..." while trying to start services manually on ACS.
  Kindly help me through this integration part
  An easy and handy Step wise procedure on configuring integration of AD with ACS 3.2 on both Domain Controller and on Member server will be of great help.
  Thanks
  Kind Regards,
  Ahmed

  I have no issues running Cisco ACS version 3.2 on Windows
  Server 2003 with SP2:
  1) create user test1 in MS Active Directory and put test1
  in users group with dial-in access granted,
  3) Create a group called "LDAP". Actually I renamed
  group name "group 1" to "LDAP".
  3) in ACS external user database configuration, I specified
  domain "CCIE" as for this. unknow user policy is to use
  Windows Database configuration,
  4) Configure the database configuration in ACS to point
  to "CCIE" windows domain,
  5) setup the ACS to authenticate one of your Cisco devices
  and log in using the MS windows account,
  By the way, mgurwara, you are wrong. I run Cisco
  ACS 3.2 on windows 2003 Enterprise Edition with Service
  Pack 2. I am running it on a Dell Optiplex Gx240
  (1.7 GHz with 512MB of RAM) and it is running fine.
  I use it to manage about 20 cisco devices and
  about 200 Wireless LEAP user(s). Furthermore, I am also
  running ACS 4.1 on another identical hardware. It has
  nothing to do with the hardware. I don't know where
  you get that information from.

• CiscoSecure ACS v2.4 for Windows NT Upgrade

  We still have two ancient instances of CiscoSecure ACS v2.4 for Windows NT running on our network. ACS1 (primary) and ACS2 (secondary). I would like to upgrade these, not only because of how old they are but because of an issue trying to replicate the user and group database from ACS1 to ACS2. When trying to replicate the user and group database the logs say it's successful but the databases don't match. ACS2 is missing some of the users that are in ACS1. I have successfully replicated the interface database. But for whatever reason, the user and group database will not replicate.
  First, is there any other way I can get the user and group database copied from ACS1 to ACS2? Other than using the built in database replication tool?
  Second, is there any way I can get these upgraded? I read that the recommended upgrade path is 2.4->2.6->3.0->3.2. But Cisco no longer has version 2.6 available for download. I really would like to upgrade rather than starting from scratch.
  Thanks!

  ACS 2.4 - wow! That hasn't been sold for over 11 years. (reference)
  Think about it - would you want to try to upgrade Windows 98 to Windows 7? That's about an equivalent span of software product timeline.
  The current product is so different that even if you could upgrade it would not be advisable to do so. While painful, it would be much better option to make a clean break with the old and move onto a current platform (e.g ACS 5.3).

• HT1926 iTunes will not install on my computer (Windows 8) and i tried everything in "Issues installing iTunes or QuickTime for Windows" but nothing worked. any help?

  iTunes will not install on my computer (Windows 8) and i tried everything in "Issues installing iTunes or QuickTime for Windows" but nothing worked. any help?

  Many thanks.
  Error 7 (Windows error 127)
  Try the following user tip:
  Troubleshooting issues with iTunes for Windows updates

• Advice for Buying Cisco Secure ACS 3.3 for Windows

  Just need advice on what other things I NEED to order apart from the Windows server when I want to iplement ACS and I want to use CISCO SECURE ACS 3.3 FOR WINDOWS
  Hope someone will help

  Hi,
  This is all what you require:
  Supported Operating System
  Cisco Secure ACS for Windows Servers 3.3 supports the Windows operating systems listed below. Both the operating system and the service pack must be English-language versions.
  •Windows 2000 Server, with Service Pack 4 installed
  •Windows 2000 Advanced Server, with the following conditions:
  –with Service Pack 4 installed
  –without features specific to Windows 2000 Advanced Server enabled
  •Windows Server 2003, Enterprise Edition
  •Windows Server 2003, Standard Edition
  Note The following restrictions apply to support for Microsoft Windows operating systems:
  •We have not tested and cannot support the multi-processor feature of any supported operating system.
  •We cannot support Microsoft clustering service on any supported operating system.
  •Windows 2000 Datacenter Server is not a supported operating system.
  Please refer to the following link for more information:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/win33sdt.htm
  Thanx & Regards

• Delete proxy config on Cisco Secure ACS 4.1 for Windows ?

  We have a pair of ACS 4.1 servers (Windows Server 2003 R2). Let's call them ACS1 and ACS2.
  We don't want either one of them to proxy to any AAA server, including each other. We're using mostly TACACS authentication.
  While troubleshooting a general problem, I'm guessing that one of us did this on ACS1:
  pressed the Network Configuration button,
  saw the Proxy Distribution Table
  clicked (Default)
  moved ACS1 from the AAA Servers column to the Forward To column.
  So, essentially, we're telling ACS1 to proxy all requests to itself, which doesn't seem to make sense. I don't know for sure whether it should work when configured to "self proxy," but in that state, it does not authenticate anyone and gives merely "Internal error" as the reason.
  If I change the configuration so that "ACS2" appears in the Forward To column, and I move "ACS1" back to AAA Servers and restart, ACS1 starts responding correctly to TACACS requests. Of course, ACS1 is just proxying all requests to ACS2, so having two servers isn't doing much good.
  I cannot simply remove ACS1 from the Forward To column and leave it empty. The interface complains that it can't forward to zero servers. Of course, on ACS2, there are no servers in the Forward To column, since we never touched the Proxy Distribution Table there.
  Is there any way to return the Proxy Distribution Table to its default setup, that is, no servers appear in the "Forward To" column?
  We're planning to upgrade to version 4.2 very soon, so this question is mostly academic, unless the same problem exists in 4.2.
  For full disclosure, I should mention that the problem we were troubleshooting was loss of connectivity to our Windows Domain Controllers from our ACS servers. We had missed adding some exceptions in our firewalls to allow for four new DCs. As far as we can tell from testing, connectivity to the DCs is now fine. The firewall rules group ACS1 and ACS2 together, so connectivity should be the same, and ACS2 authenticates users correctly.

  Hello Jeffrey,
  By default the ACS 4.x Proxy Distribution Settings should have the ACS entry for itself on the Forward To box. Your ACS1 entry should be on the Forward To box.
  The Internal Error message on the ACS should be highligthing a different issue on your ACS1. Also, the message stating that we cannot have zero servers on the "Forward To" box is expected.
  Set your ACS1 for Full Logging Detail (System Configuration > Service Control) and configure the ACS1 entry under the Forward To box. Recreate the authentication issue and collect a package.cab file. If you have an ACS for Windows, under the ACS Installation folder look for the CSAuth folder > Logs and share the auth.log file with a failure timestamp for us to review the ACS logs when failing with Internal Error.
  If this was helpful please rate.
  Regards.

• User-changeable Passwords issue f/ ACS 4.0 on Windows Server 2003

  I am having an issue with the UCP website not functioning correctly. I have installed it from the ACS 4.0 CD, following the instructions from the Cisco.com website, but cannot get past the Login page. Users can get to the Login page, but after they enter their information (username / password) and click Login, the server returns the following error page: "CGI Error. The apecified CGI application misbehaved by not returning a complete set of HTTP headers."
  I cannot get past this page. I have verified that the website is installed as outlined in the Cisco procedure, and have re-installed twice to verify. I have granted Everyone Write and Execute permissions to the site directories, and granted the Virtual Directories Script and Executable access.
  Any help on this would be greatly appreciated. I am evaluating ACS 4.0 for deployment in our company, and UCP not working is a major stumbling block.
  Additional configuration information:
  Windows Server 2003 SP1, patched current to 8/29/06
  The ACS server is also running on this server; it was installed and tested first, before installing UCP.
  Thanks,
  John

  Change the user that runs CSusercgi.exe to Administrator.Refer the following steps Install UCP 4 on a machine that runs IIS server,Open IIS manager,Locate Default Web Site, Double click on the virtual name 'securecgi-bin',Right click on CSusercgi.exe and choose Properties,Choose 'File Security' tab,Choose 'Edit' in 'Authentication and access control' area,Change username from IUSR_ to 'Administrator' and enter his password.

• ACS 4.2 For Windows DB Replication

  Hi Folks.
  I have a pair of ACS for windows 4,2 and we also have a few mappings (ACS Group --> AD Group)
  The replication process was configured and it replicates all the seetings, but the Group Mappings.
  Is this the way it's supposed to be or it should replicate the group mappings as well?
  Best regards,
  AL

  The following items cannot be replicated:
  •IP pool definitions (for more information, see About IP Pools Server).
  •ACS certificate and private key files.
  •Unknown user group mapping configuration.
  •Dynamically-mapped users.
  •Settings on the ACS Service Management page in the System Configuration section.
  •RDBMS Synchronization settings.
  User guide
  http://www.ciscosystems.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAdv.html#wp756078
  Regards,
  Jatin
  Do rate helpful posts-

• IPhone 4 AirPrint printing issue (AirPrint Installer 1.3 for Windows)

  I have been trying to get AirPrint working on my iPhone 4 (CDMA/Verizon) for a while now without success
  I know that the AirPrint feature is designed to work with AirPrint compatible HP WiFi printers (as Apple dropped support for OS X), though I have no plans on buying a new printer when I have 2 perfectly fine printers shared on the network, let alone one specifically designed to work with AirPrint
  I have tried out AirPrint Installer 1.3 for Windows (running on WinXP MCE 2005), but can't seem to get it to work properly
  After installing AirPrint Installer, I was able to see one printer from the iPhone (from a laser printer shared from another computer on the network), and was able to send a print command from the iPhone to the XP MCE computer, but I kept getting "Error-Printing" from the print que (on XP MCE)
  After sharing a printer connected locally (via USB), I was able to print from my iPhone once successfully, but nothing from the iPhone would show up in the que on XP MCE since
  Since then I have also shared the Microsoft XPS Document Writer (saves "printed" documents to an XPS file) as a way to tinker around with AirPrint without wasting paper, ink, and/or toner, and was unable to print from it
  Now whenever I attempt to print from my iPhone, I have the option of 3 printers, the shared laser on a different computer on the network, the local inkjet via USB, and the Microsoft XPS Document Writer, selecting any of them will then give me a message with an image of a piece of doggy eared paper saying "Printing to "<Printer Name>" Sending to Printer" as if it's about to print, but there is no change on XP MCE, the print cue shows nothing, and nothing prints and I don't get a popup asking where I would like to save (when using the XPS Document Writer), yet I can print fine from the computer itself
  Also, I have noticed that after a while, the printers will disappear from the list (on the iPhone) one by one, and I have to constantly uninstall and reinstall AirPrint Installer, only for it to not work again
  Am I doing something wrong? I have updated iTunes, I don't have a software firewall, and I am pretty sure I have installed AirPrint Installer 1.3 correctly
  I have also tried using AirPrint Activator and AirPrint Hacktivator on my MBA, but I only have Leopard on it (haven't upgraded to Snow Leopard yet, and may not for a while), so AirPrint Hacktivator will close unexpectedly (constantly), and AirPrint Activator gives me an error saying I need at least Snow Leopard, so I would really appreciate it if I could get AirPrint Installer 1.3 to work

  I have been having exactly the same problem as Mike's original problem as well as this problem as well. Originally, i couldn't get the iphone to see all my shared printers. I have an Epson RX580 ink jet all in one printer and a HP P1006 laser jet printer. They are both shared printers. Both are able to be printed to from other wired and wireless computers in my network. They are both showing as ready when I look at them in the printer/fax window.
  I'm using Window's XP SP3 with all the latest updates. I originally down loaded a german version of this AirPrint Installer 1.3. It didn't have all the bells this version does. After DL'ing this version AirPrint Installer 1.3, My Verizon Iphone 4 with 4.2 OS could see the printers on my network.
  When I try to print an email or picture. I takes me to the screen on the iphone to choose the printer I want to use. When I choose either printer and click the "Print" button, it takes me to a screen that says "Communicating with Printer" with an image of a page of paper with the edge turned down. After about 30-45 seconds the screen reverts back to the email or picture. After another min or so, a message will pop up saying that the printer is offline with one button that says cancel and another button that says continue.
  If I look at the print que for the printers, there is nothing in the que, but when I high light the printer in the printer/fax window some extra options become available that aren't there if there are really no jobs in the cue. One of the options on the left is the option to cancell all print jobs. When I click this, the computer looks like it does something cause the screen kind of flickers and then the option dissappears.
  I would really like to be able to print pic's straight from my iphone and would love to get this working. Would really appreciate any help with this issue.

• ACS SE setup for windows authentication

  Dear All,
  I'm trying to install an ACS Solution Engine in My network for access control (AAA). I succeed in setting up authentication using the internal database and that works fine. Now My boss want users to be authenticated through an external database (windows AD). I tried achieving this but kept getting different errors.(like EAP-TLS or PEAP authentication failed during SSL handshake) or (Authen session timed out: Challenge not provided by client).
  Please I need someone who has done this setup successfully before to give Me a step by step procedure on how I can setup ACS SE for windows authentication using My domain windows authentication.
  Thanks

  Dear All,I'm
  trying to install an ACS Solution Engine in My network for access
  control (AAA). I succeed in setting up authentication using the
  internal database and that works fine. Now My boss want users to be
  authenticated through an external database (windows AD). I tried
  achieving this but kept getting different errors.(like EAP-TLS or PEAP
  authentication failed during SSL handshake) or (Authen session timed
  out: Challenge not provided by client).Please
  I need someone who has done this setup successfully before to give Me a
  step by step procedure on how I can setup ACS SE for windows
  authentication using My domain windows authentication.Thanks
  Hi,
  Check out the belwo link on your query,Hope that help !!
  https://supportforums.cisco.com/docs/DOC-5542
  If helpful do rate
  Ganesh.H

• ACS 5.1 for Windows VM Ware

  Hello,
  Please help me...
  I want to know can we install ACS 5.1 in Windows VM Ware machine. I have downloaded it but it is giving me the option of installation in Linux.
  Please suggest.

  Ravi,
  This release of ACS 5.1 provides new architecture and functionality on a standard Cisco Linux-based. We would be requiring a new box all together for 5.0.
  Installing ACS on VMware virtual machine
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_vmware.pdf
  ACS 5.1 doesn't support windows OS.
  HTH
  JK
  -Do rate helpful posts-