Installing Cert on ACS Appliance

I am trying to install a Cert on an ACS Appliance V3.2. I have created the cert using a MS CA on our network but when I try and install it says that the Private Key file cannot be blank. Any help would be appreciated.
-clyde

I had the same problem. Cisco's only help was to tell me that ACS Ver 3.2.3 only supported key sizes of 1024 bits minimum.(our root CA had a key size of 512)
I resolved this by uninstalling the ACS then installing the root CA certificate on the server, next I made an enrollment request to the CA for the ACS's own certificate which was subsequently downloaded and installed.
After re-installing the ACS server, I just selected "use certificate from storage" rather than "use certificate from file"

Similar Messages

  • Replaced Expired Cert on ACS

    Hi,
    I replaced an ACS certificate that had been installed i then did the following:
    1. Created a certificate request.
    2. Issued the request to the enterprise CA.
    3. Copied the certificate to an ftp server.
    4. Installed the certificate on the ACS.
    5. Configured the CTL again.
    6. Restarted the ACS service.
    8. Enable EAP-TLS.
    The problem is when i try and enable EAP i get the message no ACS certificate installed.
    I searched on cisco and it said to disable the CSA and follow the same process which i have done to no avail.
    Any help appreciated.
    Thanks
    Kev

    I found this book in the version of the ACS:
    CSCef61785 Bug Details Bug #79 of 92 | < Previous | Next >
    ACS Appliance fails to recognize installed certificate Symptom
    ACS appliance does not recognize the installed certificate.
    Conditions
    Cisco Security Agent is running.
    1. Install a certificate. The web interface will report the certificate as installed and validated.
    2. Enable PEAP.
    3. An error appears: Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using ACS Certification Authority Setup page.
    Workaround
    Disable the Cisco Security Agent and repeat the installation procedure. Re-enable the Cisco Security Agent.
    Possibly worth upgrading?
    If so can some one help me with the upgrade stages as im finding them a bit confusing.
    Thanks
    Kev

  • New ACS appliance not showing FQDN hostname in GUI

    I've installed two new ACS appliances in our environment running 5.3.  I've just configured the basics to get it on the network (ie DNS, default GW, IP address).  Looking at both running configs, they are identical with exception to the IP addresses.  On one appliance in the GUI next to the user name in the top right hand corner, the hostname is "acs01".  In the GUI on the other appliance, it shows "acs02.corp.mycompany.com".  This is a minor issue but its bugging me.  Anyone have an idea what is going on?
    In both appliances, this statement is identical in the show run:
    ip domain-name corp.mycompany.com

    Hi,
    So you are using a hardware RAID5 in storage pool as a hard disk. Now you added one more hard disk to the RAID5 with the tool "Dell Server Administrator" but it is not recognized in storage pool.
    I think it will not work as hard disk size cannot be changed after storage pool is created. It is by default.
    However why you use the hardware RAID in a storage pool? A hardware RAID seems enough for your storage requirement.
    If you have any feedback on our support, please send to [email protected]

  • ACS Appliance - Where is the bulk import?

    On the Windows version there is the command line utility which allows for the bulk import of users and clients. With over 250 TACACS+ client to install on an ACS appliance I do not want to have to add them in manually, one by one, but don't seem to be able to find the way to import them. Can anyone help?

    On the appliance the only way is to use RDBMS Sync.
    The ACS quick help and online docs all have quite good documentation about how to create the account actions transaction table so I wont describe it here.
    You can actually set more device params via RDBMS sync than you could csutil.
    I doubt its been updated for the new device parameters you can manually setup in ACS v4.1 though.

  • ACS appliance setup help

    Network environment:
    - Windows 2003 with enterprise CA
    - Cisco ACS appliance 4.1.1.23
    - Cisco 1240 AG series APs
    Wireless clients:
    - Windows XP SP2
    Brief steps taken:
    - Installed Enterprise CA
    - Created copy of web server certificate with option “Mark keys as exportable” enabled. Certificate published.
    - Created global group in AD that contains test user and a single laptop that is a member of domain - for auto enrolment.
    - Generated certificate request from ACS (1024 key length).
    - Submitted server request from ftp server - Submit a certificate request using base 64…
    - Submitted CA certificate request from ftp server - Retrieve CA certificate or revocation list /base 64 encoded.
    - CA & server certificates installed in to ACS appliance (Domain certificate authority approved within ACS)
    Brief cofig of ACS appliance
    Global config
    - PEAP -Selected “Allow EAP-MSCHAPv2”.
    - LEAP - Allow LEAP (For Aironet only)
    - Selected “Allow MS-CHAP Version 1 & 2 authentication
    - Added AAA client (AP) with shared secret with authentication using “Radius (Cisco Aironet)
    - Under External user DB//DB config/windows database, “Enable PEAP machine authentication” selected.
    1240 series AP config
    - Under Server Manager, ACS IP with shared secret entered as a Radius server.
    - Selected EAP authentication.
    - Under SSID Manager selected open Authentication with EAP & selected network EAP.
    - Under Encryption Manager selected WEP Encryption & mandatory.
    - Selected key 1 and entered 128 bit key
    Client (windows XP SP2 domain member) config
    - Connected to Enterprise CA web site, base64 encoding/download CA certificate
    and installed it in local computer store.
    - Under Network authentication selected open with WEP EAP type “protected EAP (PEAP)
    - Authenticate as a computer selected
    - Selected my CA under “Trusted Certification Authorities
    - Authentication method (EAP-MSCHAP V2)
    Errors:
    Automatic certificate enrollment to local system failed to contact the AD. The specified domain does not exist or cannot be contacted.
    Or
    Computer doesn't have correct certificate
    Used 43486, 64067, 71929
    Any suggestions very much apretiated.

    ACS Agent is installed on two DC's as well and they are detected by ACS.
    Thanks

  • ACS appliance External Auth to NT 4.0

    Hi
    I am installing the ACS appliance to do external database authentication to NT 4.0 PDC. It appears with the appliance you have to install a remote agent to make this work. It is my understanding this agent must run on a win2k box. Does the agent have to be installed on the PDC or can it go on any windows server box?
    Is there a work around if you do not have a win2k server. This network is still NT4 with now win2k boxes
    Thanks

    The remote agent was not tested on NT4 and probably wouldn't even install properly. Even if it did work, you would be very limited in the support you'd get if you had strange problems because it is an unsupported configuration.
    It doesn't have to go on a PDC, but things just seem to work better if it is on a DC of some sort. At the very least it needs to be on a member server, but as I said, I'd recommend putting it on a BDC from experience.
    The release notes/install guide for it is here:
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/raig/index.htm

  • Apply patch to acs Appliance

    I was wondering if someone can help me to upgrade my ACS Appliance with patch 4.1.1.23.4-SW. It was simple to apply this one in a normal server 2000. The ACS appliance I think is different because that we can access by normal terminal, keyboard and mouse.
    Some were I read that is necessary a tomcat server?
    Please help
    adi

    Hi,
    ACS v4.1.1.23 patch 5 is available so go for this new patch.
    You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
    Follow the steps below on the PC:
    [1] Extract zipped file
    [2] Look for ?autorun.exe? file and double click on it
    [3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
    SE ip address :
    Provide in the ACS SE ip address and press ?Install?
    [4] It will prompt for ACS admin username and password as shown below :
    Provide in the username and password and login.
    [5] Then it bring up ACS GUI, then go to
    System Configuration > Appliance Upgrade Status > Download,
    Then we?ll get a screen where it will ask for ip address of Install Server :
    Provide in ip address of system from where we are applying this patch, in our case our
    desktop ip address, then click connect.
    [6] It will show us following screen :
    Click on ?Download Now?
    Then it?ll show us this screen :
    Press ?Refresh? Till we see following screen :
    [7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
    Press ?Upgrade?, then we?ll get information regarding the patch.
    Click ?Yes?.
    It?ll take few minutes to apply that patch on appliance.
    Then it?ll show us a confirmation message :
    Press ?Done?, then system will reboot.
    To confirm that patch has been applied successfully, goto
    System Configuration > Appliance Upgrade Status
    After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
    if you want to apply this patch on some more appliance click on ?Install Next?
    Hope this helps.
    ~Rohit

  • ACS Windows vs ACS Appliance

    I have ACS 3.3 running on Win2k and am looking to upgrade. Would it be a better idea to get the ACS appliance instead? What are the pros/cons?

    Hi
    Personally I wouldnt choose an appliance over software. Cost aside they are harder to integrate (esp if you use AD), harder to diagnose and patch.
    From experience I know ACS sometimes needs a little TLC to keep it working. ACS v3/v4 was not designed as appliance software. This has been retro-fitted with all the issues that go with it.
    ACS v5 is supposed to be appliance from day 1 so maybe that'll be ok!
    This is my own personal view, Im sure there are a lot of happy appliance owners out there.
    Main differences
    1) Appliance cant talk direct to AD. You need to install an agent somewhere (possibly requiring a dedicated windows server.. ouch what happened to lower TCO!)
    2) No native ODBC, RSA (done via RADIUS instead)
    3) Logging. CSVs hard coded to rollover at 10MB. Requires log agent or extraxi csvsync to collect logs.
    If you like to be "hands on" stick with s/w

  • ACS Appliance Upgrade

    I obtained the 3.3 release from Cisco. I'm currently running v3.2. When I go to System Configuration -> Appliance Upgrade Status -> Download -> Connect -> Download Now, it returns "No Distribution in Appliance". I can see the 3.3.3.11 in the software install table. but it returns the error above when trying to transfer the file. I'm running Apache / Windows XP SP2. Anyone seen this before?

    Hi,
    Without Distribution server, normally you need to load the new image into the current ACS appliance itself before execute the upgrade process. The new image can be transferred via serial or ACS web-based 'system upgrade' option.
    If I am not mistaken, the error you're getting was due to unavailability of distribution server.
    If you stuck with the image transfer, try to use CLI/console mode.
    Typicall upgrade method has 3 steps:
    1. Load new image (download from Cisco or using CD) onto a distribution server.
    2. Load the upgrade image onto the Cisco Secure ACS Appliance from the distribution server. Do it either from within the HTML interface, or from the serial console. The Cisco Secure ACS Appliance will verify the transferred files to ensure that they have not been corrupted.
    3. Apply the Cisco Secure ACS Appliance system upgrade. You can do this either from within the HTML interface, or from the serial console.
    Refer to the following url for complete upgrade processes & options:
    http://www.cisco.com/en/US/partner/products/sw/secursw/ps5338/products_installation_guide_chapter09186a0080203004.html#wp1044616
    Rgds,
    AK

  • ACS Appliance Hardware functionality

    Just received a new ACS Appliance and in testing out the functionality I've encountered a couple of curious issues...
    Shutdown -- Have tried doing shutdown from both HTTP and Serial connections. Command is accepted and the hard drive light flashes for a bit and then nothing. It does not power off, don't get a message on the serial console saying it is OK to power off. Waited 20 minutes then used the power button. Seems to conflict with the doco.
    Can we/How do we use the second Ethernet port? Don't see anything about how to configure it in the doco but when I plug a cable in I do get lights indicating it is active.
    I have been able to complete basic configuration and do have connectivity and authentication against Internal User, still fiddling with getting communication with our LDAP User database, So the unit does function.

    For the 2nd ethernet connection, the doco here (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp33/install/ovrvuap.htm#wp1040777) gives the answer:
    Ethernet Connectors
    Your system has two integrated 10/100/1000-megabit-per-second (Mbps) Ethernet connectors. Cisco Secure ACS Solution Engine supports the operation of either Ethernet connector, but not both connectors. Each Ethernet connector provides all the functions of a network expansion card and supports the 10BASE-T, 100BASE-TX, and 1000BASE-TX Ethernet standards.
    Each NIC is configured to automatically detect the speed and duplex mode of the network.
    Note The Cisco Secure ACS Solution Engine supports the operation of only one Ethernet connector at a time. Concurrent operation of both Ethernet connectors is not supported.
    For the shutdown issue, not sure, haven't seen that before.

  • Trunked connections to ACS appliance

    We are replacing our Cisco ACS 4x server with a new ACS appliance. It is a Cisco UCS C220.
    We went with the hardened Linux option for the underlying OS.
    Our old server had multiple network adapters on different subnets so that it could authenticate devices on different VRFs (rings basically).
    I see the new appliance has only 2 network adapters in it. Is it possible to configure these as a 802.1q trunk in order to have the device service requests on 4-5 subnets? I haven't seen documentation on how to do this.

    Hi,
    ACS v4.1.1.23 patch 5 is available so go for this new patch.
    You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
    Follow the steps below on the PC:
    [1] Extract zipped file
    [2] Look for ?autorun.exe? file and double click on it
    [3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
    SE ip address :
    Provide in the ACS SE ip address and press ?Install?
    [4] It will prompt for ACS admin username and password as shown below :
    Provide in the username and password and login.
    [5] Then it bring up ACS GUI, then go to
    System Configuration > Appliance Upgrade Status > Download,
    Then we?ll get a screen where it will ask for ip address of Install Server :
    Provide in ip address of system from where we are applying this patch, in our case our
    desktop ip address, then click connect.
    [6] It will show us following screen :
    Click on ?Download Now?
    Then it?ll show us this screen :
    Press ?Refresh? Till we see following screen :
    [7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
    Press ?Upgrade?, then we?ll get information regarding the patch.
    Click ?Yes?.
    It?ll take few minutes to apply that patch on appliance.
    Then it?ll show us a confirmation message :
    Press ?Done?, then system will reboot.
    To confirm that patch has been applied successfully, goto
    System Configuration > Appliance Upgrade Status
    After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
    if you want to apply this patch on some more appliance click on ?Install Next?
    Hope this helps.
    ~Rohit

  • ACS Appliance 1113 with v4.2

    I have ACS appliance 1113 with v4.2 software. How do I tight this into Active directory? Do I have to run some software on the DC server?
    Thanks,

    You need to install remote agent on member server. The software will facilitate communication between acs and AD.
    Here is the link,
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.1/installation/guide/remote_agent/rawi.html
    Regards,
    ~JG
    Do rate helpful posts

  • ACS appliance and remote agent testing

    Having problems with integrating ACS appliance with Active Directory. Have installed the remote agent on a member server and from the ACS appliance can enumerate the Active Directory groups correctly so there is at least some communication happening.
    Looking at the remote agent logs whenever a request for the AD groups comes through you see corresponding log entrys. When a user tries to authenticate though there are no logs coming through to the remote agent. So maybe it is not being sent to remote agent?
    In the failed authentications log on the ACS the error is unknown user, it does show the correct username + domain as the person trying to authenticate.
    The Windows server is setup for unknown user policy.
    ACS version is 4.1.1.23, Remote Agent is latest version available.
    Any ideas or things to check?

    Hi,
    As per your last line, It seems that ACS and RA ver are not same. Please note that ACS appliance and RA software ver has to be same else it won't work.
    Regards,
    ~JG

  • ACS Appliance 3.3 Integration with Envision

    How to install the ftp agent on the ACS appliance 3.3 to integrate it with the envision for centralized logging.

    To the best of my knowledge you cannot install anything on the appliance. period.
    So any solution requiring agents doesnt work.
    You might want to look at our CSVSync utility (part of the aaa-reports! product family) that connects to ANY type of ACS Server via its HTTP interface.
    http://www.extraxi.com
    Darran

  • ACS appliance 3.2.2.5 Remote Agents for Windows DB disappear

    I have two ACS boxes: one is ACSNT and the other an ACS appliance. Both run 3.2.2.5 and have been in production for quite some time. The ACSNT box is the primary and replicates to the appliance as backup. These units authenticate to three different Windows domains: 2 NT domains and 1 AD.
    Recently I just added support for RSA 6.0 servers. Not wanting to mess with the client install on the ACSNT box, I set it up as a RADIUS token server as you do on the appliance. It works just fine on the ACSNT box. On the appliance, however, my Windows external DB quit working with "external db not operational" messages. I rebuilt the Windows external DB, recreated the group mappings, added the remote agents, etc. Things were working fine. I recreated the RSA config and still the Windows DB was working although the RSA config was not working (still working on that if TAC ever calls me back). A few hours later, I decided to check the Windows DB and it was broken again. I checked it out and the remote agents were somehow deleted. Nothing in the logs show it but they were gone. I recreated them and it worked again. This has happened twice now. Does anybody have any advice? The logs show nothing to indicate a problem on the appliance exists and of course the docs state that there should be no problem with both a RADIUS and Windows DBs living together on the same box. All comments welcome!
    Thanks,
    Rik

    Sorry it took so long to get back...I've been out of the office for a few days.
    I did check the the docs for issues like this but found nothing. The TAC Engineer escalated it and both engineers kept saying my new RSA servers were causing my issues. However, a simple reboot of the box (it is built on Win2K after all...) cleared up all of the strange issues.
    Thanks,
    Rik Guyler

Maybe you are looking for

  • How to save psd files...

    how to save psd files so other can change (with all fonts and Layers) I need to know how to save everything in the psd so others still can use it.??

  • HT3825 Sony Nex 5 Raw, 10.6.8 and iPhoto 09

    I am very frustrated.  According to this post, I should be able to use the Digital Camera Raw3.9 updater on 10.6.8. I have iPhoto 09.  It tells me I need 'iPhoto 9'.  iPhoto 11 (v 9) will not run on 10.6.8, but only on 10.7.  This doesn't make sense.

  • Preservation of connections prior to upgrade from v9.3.x to v11.1.2

    Hello again SV Gurus out there!! I am contemplating upgrading the Smart View add-in on my PC from v9.3.1.6 to v11.1.2 and since I have quite a few connections already set up against our Prod and Non Prod environments, I would like to know whether it

  • C330 All in One Touchscreen PC - de, webcam problem after 8.1 update

    After upgrading to Win 8.1my microphone and webcam are not recognised or visible as installed peripherals. Reading that the preinstalled YouCam software will no longer function after upgr I have deinstalled it (may be able to recover it from a Carbon

  • How can i put a new music on itunes?

    how can i put a new music on itunes? i dont see any music on my itunes