Certificate on acs
Hello Folks
wifi users are authenticated via single sign on on ms AD using acs(802.1X)
question is. is it mandatory to generates a certificate in the acs than export it to the contoller in order to let the authentication works
Hi Ibrahim,
How are you?
First, what 802.1X EAP are you using?What ACS rev are you on?
I will assume PEAP.
1) ACS Cert is requried. You have 2 options for a certifciate.
a. You can do a self generated certifciate which is created on and by the ACS server. This cert last 12 months from the time you create it. Here is further reading on the ACS self cert.
Personally, Im not a fan of the self signed ACS certiciate. Becuase if you vaildate the cert on the client you will need to push this cert to each client. I will explain that later.
Self-signed Certificate Setup (only if you do not use an external CA)
Note: When you test in the lab with self-signed certificates, it results in a longer authentication time the first time a client authenticates with the Microsoft supplicant. All subsequent authentications are fine.
Complete these steps:
On the Cisco Secure ACS server, click System Configuration.
Click ACS Certificate Setup.
Click Generate Self-signed Certificate.
Type something into the Certificate subject field preceded by cn=, for example, cn=ACS33.
Type the full path and name of the certificate that you want to create, for example, c:\acscert \acs33.cer.
Type the full path and name of the private key file that you want to create, for example, c:\acscert \acs33.pvk.
Enter and confirm the private key password.
Choose 1024 from the key length drop-down menu.
Note: While Cisco Secure ACS can generate key sizes greater than 1024, the use of a key larger than 1024 does not work with PEAP. Authentication might appear to pass in ACS, but the client hangs while authentication is attempted.
Check Install generated certificate.
Click Submit.
b. You can get a CA signed certifciate. If you are using 4.x ACS you can generate what is called a CSR. Certifciate Signing Request. You then send the CSR to a CA and they generate a cert for you.
Here is a link to read up on the CA certifciate.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t14
How and where to install the certs and how it works...
1) The cert is installed on the ACS server and the client IF a) you are vaildating the cert on the client b) you are using an acs self signed cert
So the ACS server has a cert installed on it. This cert is used to building a secure tunnel between the ACS server and the wireless client so that when the wireless client passes its credentials they can not be seen as they are passed in the tunnel created by the cerifciate (think HTTPS).
When a wireless client connects. The WLC / WLAN is configured with 802.1X. So the WLC passes all the authentication traffic directly to the ACS. So the WLC DOESNT NEED TO KNOW ABOUT THE CERT. This chatter is just between the ACS and the wireless client and the WLC acts as the middle man.
So the wireless client connects. The ACS server sends the cert (the one you added) to the wireless client. The wireless client has 2 configurable options. 1) Vaildate the certifciate 2) Not Vaildate the certifciate. If you Vaildate the certifciate then that cert needs to be on the client, becuase the client is going to look at the cert presented by the acs server and see if it has it in its root store, thus vaildating it. Or you can not vaildate it. If you dont vaildate it, it a BIG security boo boo.
Make sense?
Similar Messages
-
Does any of you know how to configure certificates in ACS?, any reference for this issue?
thanksHave a look at these:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00804721c3.shtml
http://www.geocerts.com/support/install/install_cisco_acs.php
Regards
Farrukh -
Can anyone tell me if there are security issues with using a public certificate on ACS to be utilized for PEAP authentication? Trying to make this more manageable for our Windows Mobile devices and what they have for default for root CA's. Thanks
I would say partial yes to your post. Since, ACs is going to assign certificate, if ACS server is secure, hence the certifcate.
-
Installing certificate on ACS Server
i want to install the certificate in acs server, I have taken the option generate certificate signed request. configured all parameters like install ACS certificate, authority setup and trust list. the certificate has been generated and installed on the machine. But when i try to login to system it is working normally with http only. how can i change it to https. please anyone help me.
Hi,
To Enable HTTPS for ACS :
Goto Administration Control -- Access Policy -- SSL Setup -- Use HTTPS Transport
To Create & Install a Server Certificate:
System Configuration -- ACS Certificate Setup -- Generate Self Signed Certificate -- Fill in the details -- Select- Install Generated Certificate
Restart ACS Services under Service Control
When you try to log into the ACS you would get a warning -- Select Yes
Tnx,
somishra -
Installing Certificates on ACS 3.3 for Windows
We have Microsoft CA and we have installed the certificates on ACS but the certificate dosen't show up in the trust list. Anyone have any ideas? ACS will allow me to turn on PEAP but authentication fails.
Configuring for PEAP or EAP-TLS can be tricky and there are lots of caveats. This EAP-TLS deployment guide has some info on cert setup that should be equally applicable for PEAP as well.
http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/networking_solutions_white_paper09186a008009256b.shtml#wp39247 -
hi all,
is it posible to have 2 CA Certficate for PEAP in one ACS Server? One active ony
i'm using a test certificate and i want to install the production one, i know that only one should be active. but i'm looking for this to decrease the down-time for useres when i change the certficate.As far as I know, you cannot have two CA certificates for PEAP in one single ACS server
-
Self Signed Certificate For ACS
Hi,
I am running version 4.1 of the ACS appliance and was wondering if anyone knew of a way to get around the limitation of the 1 year self signed certificate? We had no external CA infrastructure.
Is there a way of creating the CA certificate on an external (temporary) Windows/Linux box and then importing this onto the ACS for use?This will be on an isolated network and will only authenticate/authorize a few switches and routers. No MS/Linux on this LAN will use ACS, you still have to create the CER? I could only find where that is needed for EAP, PEAP, HTTPS, Positure Validation, etc. I'm just trying to get the basics working so I can get this started, tested, then move to other things. If you think this is still needed, I'll create the self-signed one but I'm not sure if it will do any good. Thanks for the reply.
-
Self Generated certificate validity issue in ACS 4.0 for Windows
Hi,
Is there any solution to extend the validity time of self generated certificate on ACS, by default the validity is set for one year.
As the server certificate on one of the ACS which is CA has expired and need to renew it.
Is it possible only one certificate from third party can be used both as a server certificate and certificate from CA for other ACS servers.
Thanks in Advance
Regards,
AhmedOther solution would be to create an in house(Microsoft probably) CA, and get a certificate for your ACS server. Go through the installation steps of Microsoft CA before, as the validity date for Server Certificate(i guess) is configured during initial install of CA.
Regards,
Prem -
CA certificate issue in ACS 4.0 for Windows
Hi,
How to generate lost private key .pvk file on ACS which is also configured as CA Server, As I would like to register all the available ACS's Servers to CA Server using the same certificate from CA Server. Need a step wise procedure on obtaining certificate from ACS CA server.
your kind response will be of great help.
Thanks in advance
Best Regards,
AhmedWindows Server 2003 with SP1, Enterprise Edition, is used so that auto-enrollment of user and workstation certificates for EAP-TLS authentication can be configured. This is described in the EAP-TLS Authentication section of this document. Certificate auto-enrollment and auto-renewal make it easier to deploy certificates and improve security by automatically expiring and renewing certificates.
-
Certificate issues in ACS 4.0 for Windows
Hi,
One of the ACS is configured as CA using third party Certificate, But the server certificate on ACS was self generated and is expired.
I tried using the same third party certificate to replace the existing expired server certificate on ACS both by generating CSR on ACS and install new certificate using local storage and read from file options but failed.It gives the following error while using CSR generated private key
"private key doesnt fit for this certificate"
Next assuming that the installed third party certificate with its own private key can be used to install certificate from the storage gives the following error:
"Cannot get the private key from certificate. It's absent or not marked as exportable"
Again assuming that third party certificate has multi server/seat licences.
Any solution to this issue will be of great help.
Thanks
Regards,
AhmedRe-installing the certificate may resolve this issue.
Install CA Certificate on your Appliance
===============================
A. Go to System Configuration > ACS Certificate Setup > ACS Certification Authority
Setup
B. Click "Download CA certificate file"
C. Type the IP address or hostname of the FTP server in the FTP Server field
D. Type a valid username that Cisco Secure ACS can use to access the FTP server in the
Login field
E. Type the above user's password in the Password field
F. Type the relative path from the FTP server root directory to the directory containing
the CA certificate file in the Remote FTP Directory field
G. Type the name of the CA certificate file in the Remote FTP File Name field
H. Click Submit
I. Verify the filename in the field and click Submit
J. Restart the ACS services in System Configuration > Service Control -
Problem with ACS 4.1 using certificate
I have an ACS 4.1 appliance, I have already configured ACS in order to work with certificate. I got the certificate from ACS, I already installed it as the installation guide says . Additionally I configured the card's controller in my PC in order to manage certificate.
Whe I try to be validated from ACS I can not go on because a message appears and says " click to select a certificate " , after click a windows appears asking user and password however I expected not receive this window.
The switch's port were configured as follows:
aaa new-model
aaa authentication dot1x default group radius+
dot1x system-auth-control
interface GigabitEthernet1/0/4
switchport mode access
dot1x mac-auth-bypass eap
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
dot1x reauthentication
radius-server host (ip address) auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key password
What am I doing wrong or there is something left???1) Did you install the Certificate file in the local machine? (Right click >> Install Certificate >> And so on..)
2) Are you using the built-in Dot1x supplication in WIndows XP? Is the setting to MD5?
3) Did you Selected this installed certificate from the drop-down Menu in the wireless software?
Regards
Farrukh -
ACS Certificate import failure
Hello All,
trying to get a certificate imported on an ACS collector. The import (apparently) fails with this:
>> 1 certificates found for server authentication usage.
>> Enter the number of the certificate you want AdtServer to use for authenticating
>> to AdtAgent or 0 to quit without saving: 1
>> Certificate 1 selected. Attempting to save thumbprint to registry ...
>> failure.
No errors, no messages, no event logs - no nada. I'm not even sure the import actually failed (how to verify ??).
Anyone happen to have an idea on how to troubleshoot this? I tried tracing registry access with Sysinternals ProcMon, but nothing interesting really stood out.
Thx in advance for help and/or pointers!
Rgds - M.Hi,
here you can find more information how to configure certificates for ACS forwarders and collectors:
How to configure Audit Collection System (ACS) to use Certificate based authentication,
How to Configure Certficates for ACS Collector and Forwarder
Regards,
Ivan -
ACS Wildcard Certificate Install for PEAP
Does ACS support Wildcard certificate authentication, such as *.domain.com? We installed the certificate through ACS using CA, but when using wireless devices, the certificate is still not verified. Any information would be helpful before we go and purchase another certificate. Thank you.
Can someone validate whether wildcard certs are supported with ACS and PEAP, please. I'm running into the same issue that Jason outlines above. It seems that Windows clients specifically don't like the wildcard cert. I have tried with Mac and iPhone and they seem to work if you accept the cert into the keychain on first connect.
-
ACS 4.2 RADIUS - Wireless - Certificates
I setup our ACS 4.2 server for TACACS and also to provide RADIUS authentication for our WLAN and eventually will use it for 802.1x authentication for the LAN.
I am not an expert on certificates. I called TAC to get assistance installing the self signed certificate on ACS. This allowed me to build and test my WLan. Now that I am near the point of going live with this I'd like to install a certificate that won't expire in 1 year.
How do most people do this? We do have a windows 2003 server that acts as the Certificate Authority for other services. Should I be doing something with that? And how do most people get these certifactes deployed to the clients? by GPO?
Clearly I am not very familiar with Certificates and I apologize for this, but reading about them is getting confusing, if someone could point me in the right direction that would be a big help! Thank you!
Edit: I should mention I've been using PEAP with the self signed certificate. And currently manually installing the certificate on my test clients. As it is right now everytihng on my WLan works great: authentication, vlan assignment, etc. I'm just confused on the best practice for the certificate.ACS can only provide validity of one year. Using Microsoft CA you configure it for 5...6...7 years, depending upon your need.
It is easy to handle and manage it via GPO.
Two PEAP scenarios,
Using peap without validate server option checked---> Easy to deploy as cert is required only on ACS.
Using PEAP with validate server option checked---> Needs CA cert on each client.
Also you can get the certs from vendors like Verisign, Entrust, Equifax , GeoTrust etc. The advantage with these certs are that we don't have to install CA on each client as it is installed by default on each operating system.
Hope that helps!
Regards,
~JG
Do rate helpful posts -
Stopping ACS certificate being offered to clients
Hi,
Hopefully someone will be able to assist with this.
We have an issue where our wireless network is sending out the TLS certificate to new clients. We use this as a method of controlling which devices can access our network through wireless, so we don't really want to be sending it out to any old client that gets authenticated.
We want to manually place the certificate on the machines so that users can't add their phones or own devices to the network.
I believe this is either an issue with the ACS server or the WiSMs.
Any help is would be much appreciated.
Thanks
LukeHi Luke,
You can configure two types of certificates in ACS:
•Trust certificate—Also known as CA certificate. Used to form CTL trust hierarchy for verification of remote certificates.
•Local certificate—Also known as local server certificate. The client uses the local certificate with various protocols to authenticate the ACS server. This certificate is maintained in association with its private key, which is used to prove possession of the certificate.
For more information please go through this link:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/admin_config.html#wpxref44329
Maybe you are looking for
-
Problem in Hide/Show in a Table Row
Hi, i have to create 4 pages and each page has a table region with displaying records and a column "LINK" to go to the next page with the parameters from that record. Every link has a batchId and one another Id as parameter to next page. The next pag
-
How do I connect an external hard drive to my full Time Capsule
I bought LaCie 3TB and I want to make sure I don't lose anything from my time capsule
-
quicktime plugin from aplle can only be installed with the whole quick time player. I download it but nothing happenes, videos still cannot be streamed in firefox. I tried to install the plugin manually out of the quicktime file, but it seemes as tho
-
Blurry Scroll Bar in Cover Flow. Help?
Well... i've had my new macbook for about 3 weeks. have about 100 songs in there so far. on itunes. today my friend sent me mp3 files and the moment i got them i put them in itunes. the problem is i discovered that after putting the songs on itunes,
-
Itouch constantly asking for itunes password
For the last few days, my itouch keeps asking me, randomly and constantly, for my itunes passord. It used to only do this if I was downloading or updating an app, but now it does it with no apparent prompt or reason. I've tried canceling and I've tri