PEAP ACS certificate Replacement

Similar Messages

• PEAP, ACS and certificates

  We recently purchase a Cisco 4200 LAN Controller and 1131ag access points. We also have a Cisco ACS with 3.3.3 installed. I have been researching what is the best security option and PEAP MSCHAPv2 with WPA2 seems to make the most sense for us since it is highly secure and does not require client side certificates. I am running into a bit of trouble with this implementation because we do not have an in house CA. Can I install a certificate from a third party, such as versign on the ACS? What type of certificate do I need? Do I need to use the Cisco client utility or can I just use windows with the builtin laptop wireless adapters?
  thanks

  The windows clients will trust them if they trust the root CA. A trusts B, B trusts C so therefore A trusts C. 1. Install Root Cert on ACS box. 2. Install Identity Cert on ACS. 3. Make sure your windows clients trust the root from where you received the indentity cert for your ACS box.
  BTW: The self signed cert from ACS is only good for 1 year.
  Where you aware that Cert services are offered with Windows 2000/2003 server? It's fairly easy to setup. One drawback with 2003 is that you have to create a web template for the cert for ACS but's there are plenty of doc's out there. Search for "ACS Certificate Windows PEAP". Just post again if you have any questions...

• ACS certificate expiration

  Hello,
  we are using PEAP authenticaction with ACS 3.2 and MS CA (server 2003)... Certificate on ACS will expiry soon. Are there any recommendations, steps how update (reinstall) certificate
  Thanks
  M.

  Hi Milan,
  Have you looked at this doc? Perhaps it will help get you started;
  Updating or Replacing a Cisco Secure ACS Certificate
  Use this procedure to update or replace an existing CiscoSecure ACS certificate that is out-of-date or out-of-order.
  Caution This procedure eliminates your existing CiscoSecure ACS certificate and erases your Certificate Trust List configuration.
  To install a new ACS certificate, follow these steps:
  Step1 In the navigation bar, click System Configuration .
  Step2 Click ACS Certificate Setup .
  CiscoSecure ACS displays the Installed Certificate Information table on the ACS Certificate Setup page.
  Note If your CiscoSecure ACS has not already been enrolled with a certificate, you do not see the Installed Certificate Information table. Rather, you see the Install new certificate table. If this is the case, you can proceed to Step5.
  Step3 Click Enroll New Certificate .
  A confirmation dialog box appears.
  Step4 To confirm that you intend to enroll a new certificate, click OK .
  The existing CiscoSecure ACS certificate is removed and your Certificate Trust List configuration is erased.
  Step5 You can now install the replacement certificate in the same manner as an original certificate
  From this doc;
  http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080204de1.html#wp180743
  Hope this helps!
  Rob
  Please remember to rate helpful posts.......

• Enterprise Wireless 802.1x WEP EAP-PEAP Support with ACS Certificate

  Hi,
  Do BB10 support this type of connection?. 
  Thanks.

  Hi,
  Do BB10 support this type of connection?. 
  Thanks.

• Missing machine authentication - peap acs

  Hi,
  my setup is:
  Cisco ACS 4.0 Release 4.0(1) Build 27 (with thawte certificate)
  WLC 4402 ver 4.0.179.8
  Aironet 1131 LWAPP
  dell laptop with windows xp sp2 with peap auth (using win control of wlan card)
  I experience problem with missing machine authentication even though I have enabled this in acs (Enable PEAP machine authentication). The regkey on the pc's are standard windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global with no value set = 0)
  http://support.microsoft.com/kb/309448/en-us
  I get these messages in the wlc log:
  AUTH 14/09/2006 08:48:58 E 0143 2688 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
  AUTH 14/09/2006 08:48:58 E 0376 3852 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
  anyone who can point me in the right direction?
  Is it a windows client problem or a WLC/ACS problem?
  regards rolf

  Hi,
  still have problem with machine authentication that stops working after 3-4days. I narrowed this down to the Cisco ACS, as the only way to resolve this is to reboot the win2003 server running Cisco ACS. I did put en error in my first post, it's not the wlc log that reports this:
  AUTH 26/09/2006 07:51:16 E 0143 0500 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
  AUTH 26/09/2006 07:51:16 E 0376 0132 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
  It is the Csauth log on the ACS. Have anybody seen this error message and know what it refers to?
  My problem now is that machine authentication works ok for some days, then stops and then the listed error messages starts coming in the csauth log.
  regards rolf

• Android Client working on WPA2 PEAP without certificate loaded

  I am trying to figure out why the andriod phone will work on our Cisco WPA2 Enterprise PEAP wireless when we use a custom internal certificate for authentication with our Cisco 1200 series AP's, ACS 4.x, and AD user group/accounts. 
  The certificate is not loaded on the client, nor from what I learned is very difficult to import for use when trying to install a MS generated certificate
  I did debugs between my regular Domain computer which has the domain certificate, and the Andriod and collected captures; see attachment tabs.
  I do see that the certificate is used somehow and I do see what looks like a ldap lookup.
  See the attached xls sheet with a debug tab for each the PC and the android.
  I stripped out any sensitive account/domain info for viewing.
  I'm not sure if this is a potential security loophole or not and welcome a discussion on this.

  Really?
  Its been a long time since I set this up and tested this and understood all the components. I just read up on it again and it appears your correct that PEAP only requires the server (ACS) side cert and the users credentials are protected during logon within MSCHAPv2.
  If I recall, When I set up our enviroment, we had to install our domain cert on Pocket PC's (warehouse scanners), to get them to work with PEAP as the cert was not from a default trusted publisher. I don't understand why this was an issue then. Any ideas?
  Our AD client computers all get the root cert by default, and all we do is push the wireless setting to the client by GP.
  I was under the impression that we were protected by the client requiring the domain cert, and that pocket PC's, and other rogue wireless devices would not work without them. So how to best control rogue devices without using some NAP system?

• PEAP, ACS, Aironet, and W2K CA

  I would like to ask if anyone knows of a resource that effectively spells out how to configure and use Microsoft CA services to issues valid certs for a PEAP implementation using a W2K installation of ACS 3.1, Aironet 1220 wireless access points, and the 6.x ACU. The only documentation I could find on the Cisco site is poorly lacking. My ACS TAC engineer wrote up his own documentation, but following these directions, I install only root certs, not server certs. I cannot get an authoritative answer to simple questions, such as what node gets what kind of cert, and etc.
  Thank you,
  Paul Dieterich

  I ran into the same issue when first attempting to configure PEAP. I also received some PEAP configuration documents from TAC which was pretty straightforward but I also ran into some "gotchas" with it. The way that I configured the CA server was as a Standalone Root CA, generated a private key using ACS, and then pasted the private key generated from the ACS server into the Advanced Certificate Request Form as a Base64 Encoded Certificate Request so I could then download and install the issued certificate to the ACS server. Once that was completed, I configured my APs and then generated the client certificates and installed them for the clients. One of the big "gotchas" that I ran into was concerning the supplicants (clients). Windows 2K clients must install a Microsoft "Hot-Fix" or patch in order to select the authentication type with their Network Properties and select specific certificate settings. I've got some documentation on this, if you would like for me to pass it along.
  Hope this helps.
  cdeeds

• ACS Certificate installation problem. Please Help !!!

  hello,
  I have following configuration:
  Catalyst 2950G-proximity switches with IOS 12.1(19)EA1c.
  Cisco Secure ACS Appliance 3.2.3.11
  SunONE Directory Server ldap server version 5.2_Patch_2
  I am trying to setup 802.1x authentication for wired and wireless (aironet) clients, with VLAN parameter provided by using group mapping with ldap groups.
  I understand that the best for that will be EAP-GTC version of PEAP.
  I tried (for a week now!!!) to install the certificate in order to activate PEAP on ACS.
  I carefully read and re-read following documents:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp32/user/sau.htm
  and this one
  http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml
  I setup three times a CA using "Microsoft Certificate Services" and OpenSSL. I am positive that I’ve done it correctly since each time CA certificate installation worked and each time I found the the CA in the "Certificate Trust List"
  The procedure to install the certificate:
  1. Install the CA certificate on ACS server (through ftp)
  2. Create the Certificate Signing Request and paste in Notepad to make the private key file
  3. Paste the Certificate Signing Request into the "base64 encoded PKCS#10..."
  4. Get the Server Certificate after issuing and put along with private key file on the ftp server.
  When trying to install I get that
  "Unsupported private key file format."
  message.
  The private key file IS the Certificate Signing Request past-ed in a file, Isn’t it?!?
  I have done that many times. I tried many names and extensions for files. I tried to overcome the UNIX and DOS representation for CR and LF in text files.
  Each time the same error message.
  same problem like in this thread:
  http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd61919
  Everybody, please help, !!!!

  The private key file is a separate file that gets generated by ACS when you create your CSR. I am not sure where the default directory is that it gets stored. You should be able to specify a maximum path for the location that the private key file gets created. Then when you go to import the issued certificate to ACS, you will also need to go back and tell ACS where this private key file is so that it be used.
  Steve

• PEAP & ACS & machine authentication

  OK, here's the issue :
  Customer site - 1130 series LWAPP AP's, WLC 4400 series with 4.2 release, WCS with 4.2 release.
  ACS SE 4.0 and a second ACS SE with 4.1
  Windows XP clients using WZC, all settings for connecting to WLAN are set, and everything works fine as long as the user has logged onto the lappie previously using a wired connection.
  Machine authentication not working. i.e. a user can't logon until they've previously logged on.
  Nothing shows on ACS failed or passed attempts. All settings for PEAP machine authentication are setup as per Cisco docs on the ACS. Client end ok.
  Tried a GPO to push MS 802.1x settings for EAPOL and Supplicant info to machines, but still no machine logon.
  ACS using a self signed cert, option to validate server cert on XP wzc unchecked.
  Can't see wood for trees now, bits of kit will start to leave the building via the window before much longer....
  Please tell me we don't need to install certs on clients - through PEAP was server side only ? Surely ?
  Help, someone, help...

  This does work with Microsoft's EAP Supplicant as I have tested it in the lab and deployed it on a customer site. It was a while ago though....
  I referred to this document on MS's site:
  http://www.microsoft.com/technet/network/wifi/ed80211.mspx
  Plus probably the same document you were using from CCO.
  I also installed the two Microsoft Wireless updates for XP SP2 computers, however I am not 100% these were essential. The default supplicant behaviour worked OK as the AP's send EAP frames to the associated wireless clients which kick-starts the supplicant on the PC. I think the Wireless Profile needed to be on PC (SSID & its settings), however this can be pushed via GPO but if the machine has never been on the network (wired/wireless) you can get in a chicken-and-egg situation.
  You don't need to use the Cisco supplicant.
  HTH
  Andy

• [WLAN] Use 802.1x with PEAP without Certificates?

  Hello there,
  is it possible to use 802.1x with PEAP authentication via MS-CHAPv2 without cheking for the servers certificate? I can't find an option to disable it

  On whitch device? You can set the autorithy certifacte to none or choose one from the list.
  ‡Thank you for hitting the Blue/Green Star button‡
  N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

• ACS Certificate import failure

  Hello All,
  trying to get a certificate imported on an ACS collector. The import (apparently) fails with this:
  >> 1 certificates found for server authentication usage.
  >> Enter the number of the certificate you want AdtServer to use for authenticating
  >>   to AdtAgent or 0 to quit without saving: 1
  >> Certificate 1 selected. Attempting to save thumbprint to registry ...
  >> failure.
  No errors, no messages, no event logs - no nada. I'm not even sure the import actually failed (how to verify ??).
  Anyone happen to have an idea on how to troubleshoot this? I tried tracing registry access with Sysinternals ProcMon, but nothing interesting really stood out.
  Thx in advance for help and/or pointers!
  Rgds - M.

  Hi,
  here you can find more information how to configure certificates for ACS forwarders and collectors:
  How to configure Audit Collection System (ACS) to use Certificate based authentication,
  How to Configure Certficates for ACS Collector and Forwarder
  Regards,
  Ivan

• ACS CERTIFICATE ISSUE

  Hi
  We have Cisco AP's set up around our buiding. This is controlled by our WLC. We also have a Cisco ACS server set up. Some of our domain users are able to go our customers sites which are on different domains and are able to gain access to thier own home domains by logging on with laptops. I know the customers IT department are using RADAIUS and ARUBA Wireless.
  I have been asked if we can allow customers to come to our office and allow then to log onto thier laptops, connect remotly through our wireless and let them connect to thier domain.
  I believe this is possible through the ACS server, The ACS server would have the customer domain name configured in user and identity, Radius identity servers. The user would log in and authentication and would be directed through a different vlan to the cust AD.
  I have set up a test WAP on our WLC, Logged in with a laptop which is running windows 7 that does not belong to our domain. The ACS can see this but will not grant access. I believe that this is a certificate problem.
  Are there any settings that I may have missed or can anyone shed any light or advice on this please. 
  Thank you
  Regards

  Jayesh,
  You can use the radius proxy feature in ACS, when the external users connect you can build a rule such that "username ends with external.com" to use the radius proxy server "A". you will need to build the proxy connect with their radius server.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco AP disable PEAP server certificate validation

  Hi,
  My question if it is possible on Cisco 1600 AP's  to  disable the server certificate validation on a dot1x peap authentication method (please provide if any the appropiate CLI)
  I now the in PEAP for a PEAP user implementation you want to validate the the server as that this is PEAP phase 1.
  But we want only user PEAP as machine authentication, which I don't care the validation of the server. hence like in Windows you have a check box, so you can disable the validation of it.
  Thanks in advance,
  Kind regards,
  Michel

  Not really, let me explain the toplogy;
  we want to enable 802.1x on the network switches and let the Cisco AP authenticate the AP (PEAP-MSCHAPv2) on the switch via 802.1x. Therefore we specify the following config on the AP:
  eap profile PEAP
  method peap
  dot1x credentials test
  username
  password xxxxxx
  interface GigabitEthernet0
  dot1x pae supplicant
  dot1x credentials test
  dot1x supplicant eap profile PEAP
  The question is the a possebility to disable the server certificate validation (as like in Windows) because we want to verify the AP, and yes I know for PEAP-user implementation it is a good practise to validate the server certificate.
  Kind regards,
  Michel

• ACS certificate renewal

  Hi all,
  It's time for me to renew the certificate on a ACS appliance running 4.2
  For renewal, what is the process to follow?
  I am using a Windows 2003 CA.
  Thanks

  Hi,
  It depends on the CA server policy , some CA server wants to regenerate the CSR and others dont. You need to contact the CA administrator for this.
  Howver here is the link that can help you get the cert for ACS :
  Note : Look  figure 3-39
  http://preview.cisco.com/en/US/docs/solutions/Enterprise/Campus/IBD/cfg1XCG_ch3.html#wp1044337
  Thanks
  Waris Hussain.

• Stopping ACS certificate being offered to clients

  Hi,
  Hopefully someone will be able to assist with this.
  We have an issue where our wireless network is sending out the TLS certificate to new clients. We use this as a method of controlling which devices can access our network through wireless, so we don't really want to be sending it out to any old client that gets authenticated.
  We want to manually place the certificate on the machines so that users can't add their phones or own devices to the network.
  I believe this is either an issue with the ACS server or the WiSMs.
  Any help is would be much appreciated.
  Thanks
  Luke

  Hi Luke,
  You can configure two types of certificates in ACS:
  •Trust certificate—Also known as CA certificate. Used to form CTL trust hierarchy for verification of remote certificates.
  •Local certificate—Also known as local server certificate. The client uses the local certificate with various protocols to authenticate the ACS server. This certificate is maintained in association with its private key, which is used to prove possession of the certificate.
  For more information please go through this link:
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/admin_config.html#wpxref44329