:: PEAP Certificate on ACS ::

Similar Messages

• Certificate on acs

  Hello Folks
  wifi users are authenticated via single sign on on ms AD  using acs(802.1X)
  question is. is it mandatory to generates a certificate in the acs than export it to the contoller in order to let the authentication works

  Hi Ibrahim,
  How are you?
  First, what 802.1X EAP are you using?What ACS rev are you on?
  I will assume PEAP.
  1) ACS Cert is requried. You have 2 options for a certifciate.
       a. You can do a self generated certifciate which is  created on and by the ACS server. This cert last 12 months from the time  you create      it. Here is further reading on the ACS self cert.
       Personally, Im not a fan of the self signed ACS  certiciate. Becuase if you vaildate the cert on the client you will need  to push this cert to      each client. I will explain that later.
  Self-signed Certificate Setup (only if you do not use an external CA)
  Note: When you test in the lab with self-signed certificates,  it results in a longer authentication time the first time a client  authenticates with the Microsoft supplicant. All subsequent  authentications are fine.
  Complete these steps:
  On the Cisco Secure ACS server, click System Configuration.
  Click ACS Certificate Setup.
  Click Generate Self-signed Certificate.
  Type something into the Certificate subject field preceded by cn=, for example, cn=ACS33.
  Type the full path and name of the certificate that you want to create, for example, c:\acscert \acs33.cer.
  Type the full path and name of the private key file that you want to create, for example, c:\acscert \acs33.pvk.
  Enter and confirm the private key password.
  Choose 1024 from the key length drop-down menu.
  Note: While Cisco Secure ACS can generate key sizes greater  than 1024, the use of a key larger than 1024 does not work with PEAP.  Authentication might appear to pass in ACS, but the client hangs while  authentication is attempted.
  Check Install generated certificate.
  Click Submit.
       b. You can get a CA signed certifciate. If you are  using 4.x ACS you can generate what is called a CSR. Certifciate Signing  Request. You           then send the CSR to a CA and they generate a cert for you.
  Here is a link to read up on the CA certifciate.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t14
  How and where to install the certs and how it works...
  1) The cert is installed on the ACS server and the  client IF a) you are vaildating the cert on the client b) you are using  an acs self signed cert
  So the ACS server has a cert  installed on it. This cert is used to building a secure tunnel between  the ACS server and the wireless client so that when the wireless client  passes its credentials they can not be seen as they are passed in the  tunnel created by the cerifciate (think HTTPS).
  When a  wireless client connects. The WLC / WLAN is configured with 802.1X. So  the WLC passes all the authentication traffic directly to the ACS. So  the WLC DOESNT NEED TO KNOW ABOUT THE CERT. This chatter is just between  the ACS and the wireless client and the WLC acts as the middle man.
  So  the wireless client connects. The ACS server sends the cert (the one  you added) to the wireless client. The wireless client has 2  configurable options. 1) Vaildate the certifciate 2) Not Vaildate the  certifciate. If you Vaildate the certifciate then that cert needs to be  on the client, becuase the client is going to look at the cert presented  by the acs server and see if it has it in its root store, thus  vaildating it. Or you can not vaildate it. If you dont vaildate it, it a  BIG security boo boo.
  Make sense?

• Public Certificate for ACS

  Can anyone tell me if there are security issues with using a public certificate on ACS to be utilized for PEAP authentication? Trying to make this more manageable for our Windows Mobile devices and what they have for default for root CA's. Thanks

  I would say partial yes to your post. Since, ACs is going to assign certificate, if ACS server is secure, hence the certifcate.

• Installing Certificates on ACS 3.3 for Windows

  We have Microsoft CA and we have installed the certificates on ACS but the certificate dosen't show up in the trust list. Anyone have any ideas? ACS will allow me to turn on PEAP but authentication fails.

  Configuring for PEAP or EAP-TLS can be tricky and there are lots of caveats. This EAP-TLS deployment guide has some info on cert setup that should be equally applicable for PEAP as well.
  http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/networking_solutions_white_paper09186a008009256b.shtml#wp39247

• Using certificates with ACS

  Does any of you know how to configure certificates in ACS?, any reference for this issue?
  thanks

  Have a look at these:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00804721c3.shtml
  http://www.geocerts.com/support/install/install_cisco_acs.php
  Regards
  Farrukh

• PEAP + Dell WNics + ACS + NDS/eDir -- Can it work?

  PEAP + Dell WNics + ACS + NDS/eDir + Novell Cert Server -- Can it work?
  I am supposed to do a global WLAN rollout next year and would like to use PEAP, but we are a Novell shop and use the Novell Client. Should I attempt to go down this road, or take the easy way out by making the clients VPN back in?
  Thanks!
  Tim

  Yes it can work if you have the correct Dell. There are two types of EAP. One by microsoft that comes with XP SP1 and downloadable client for 2000 etc. The other is Cisco's version that uses the aironet client utility. Microsofts version does not authenticate against any user database except those that support MSCHAP (microsoft only). Cisco's supports MSCHAP and many others to include NDS and Generic LDAP. You must use Ciscos for this to be possible. In order to use Cisco's you must either have an aironet client card or have hardware that has the "Cisco Compatible Extensions (CCX) builtin. Many vendors are jumping on the CCX roadmap and these extensions are being builtin to many laptops with builtin wireless NICs. If you have the right hardware, just download the aironet client utility from cisco website and configure it as if you had a cisco nic installed. The following Link has a list of the models that have CCX. Dell is one of them, just check your model along with what they have listed. Hope this helps.
  http://www.cisco.com/en/US/partner/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html

• Installing certificate on ACS Server

  i want to install the certificate in acs server, I have taken the option generate certificate signed request. configured all parameters like install ACS certificate, authority setup and trust list. the certificate has been generated and installed on the machine. But when i try to login to system it is working normally with http only. how can i change it to https. please anyone help me.

  Hi,
  To Enable HTTPS for ACS :
  Goto Administration Control -- Access Policy -- SSL Setup -- Use HTTPS Transport
  To Create & Install a Server Certificate:
  System Configuration -- ACS Certificate Setup -- Generate Self Signed Certificate -- Fill in the details -- Select- Install Generated Certificate
  Restart ACS Services under Service Control
  When you try to log into the ACS you would get a warning -- Select Yes
  Tnx,
  somishra

• Enterprise Wireless 802.1x WEP EAP-PEAP Support with ACS Certificate

  Hi,
  Do BB10 support this type of connection?. 
  Thanks.

  Hi,
  Do BB10 support this type of connection?. 
  Thanks.

• Self Signed Certificate For ACS

  Hi,
  I am running version 4.1 of the ACS appliance and was wondering if anyone knew of a way to get around the limitation of the 1 year self signed certificate? We had no external CA infrastructure.
  Is there a way of creating the CA certificate on an external (temporary) Windows/Linux box and then importing this onto the ACS for use?

  This will be on an isolated network and will only authenticate/authorize a few switches and routers. No MS/Linux on this LAN will use ACS, you still have to create the CER? I could only find where that is needed for EAP, PEAP, HTTPS, Positure Validation, etc. I'm just trying to get the basics working so I can get this started, tested, then move to other things. If you think this is still needed, I'll create the self-signed one but I'm not sure if it will do any good. Thanks for the reply.

• PEAP certificate check

  Authentication anomaly!!
  I have been testing 802.1x authentication on wired networks. When deploying machine certificate (Windows 7), machine gets certificate, then turned on PEAP-MS-chapv2, everything works OK. Machine checks NPS servers certificate, creates tunnel for encrypted
  password and authentication works OK.
  On Windows Server 2008R2 if you delete machine certificate on client, authentication fails, but on Server 2012 R2 if I delete all certificates (machine and root CA), machine gets authenticated? On both Windows versions everything else works as it should
  (EAP-TLS and PEAP-TLS).
  Any comments? Bug?
  Matjaz

  On 2008 NPS denies access on PEAP-MSCHAPv2. Also log displays access denied. There is also no EAP-TLS enforcement with 2008R2. In 2012R2 logs you see computer as authenticated. As I said two servers different OS, same infrastructure, same switch,same policies
  on both servers, same clients,I just switch who is authenticating clients.When i authenticate without client certificates against 2008R2 NPS I get denied, I change server to 2012R2 NPS, reboot client and I get authenticated. Then again check for certificates
  and they are not there?
  The strangest thing is that one of our costumers were having problems with EAP session timeouts (in NPS log).
  That was the reason I started testing why these timeouts appear , which led to this anomaly. If I configured PEAP-MSCHAPv2 there were no timeouts (in my test environment and also at costumer's infrastructure). As soon I selected authentication that involves
  EAP (EAP-TLS or PEAP-EAP-TLS) session timeouts are there. I also tried different MTU size, but timeouts are still there.
  The costumer's network authentication was configured by them, we were just called to debug the problem. So I saw this strange things in my lab and also at costumer's network.(EAP session timeout and strange authentication)
  The first thing was to enforce 802.1x authentication in advanced settings in GPO for wired networks, the second was to update Intel LAN drivers to latest version (I already had problems with these drivers which were randomly crashing Win7 clients).
  Matjaz

• EAP-PEAP Certificate Handling

  Hi All, for evaluytion purposes i played with EAP-PEAP. Is there a way to check if an SSL Tunnel is established between the Supplicant and the Authentication Server? What does PEAP do if the Radius Server Certificate is not locally installed? I wonder, but it seems to work without it... Regards, Michael

  There is an option in the Microsoft Supplicant to ignore the RADIUS Servers certificate - Wireless Network Properties, Authentication, PEAP Properties, Validate Server Certificate checkbox. I am not sure what the default is but this is what you are looking for.
  Andy

• ACS Wildcard Certificate Install for PEAP

  Does ACS support Wildcard certificate authentication, such as *.domain.com?  We installed the certificate through ACS using CA, but when using wireless devices, the certificate is still not verified.  Any information would be helpful before we go and purchase another certificate.  Thank you.

  Can someone validate whether wildcard certs are supported with ACS and PEAP, please.  I'm running into the same issue that Jason outlines above.  It seems that Windows clients specifically don't like the wildcard cert. I have tried with Mac and iPhone and they seem to work if you accept the cert into the keychain on first connect.

• ACS 4.1 PEAP using public signed certificate (verisign)

  Hi,
  Could you give me some advice about the PEAP implementation with ACS server. I undestand that self-signed certificate should work well but I have this thoughts. The self signed certificate is valid for 1 year and after this period a new self-signed certificate has to be created. What should be the impact on the wireless users at this point? What I undestand is that the new certificate should be also imported to the clients so they can validate the server certificate. If that is correct (not sure though) this will bring huge amount of work when the certificate is expired and having hurderds of wireless clients.
  Is it possible (and what are the requirements of the certificate itself) to install any publicly signed certificate like Verisign's one to the ACS for the PEAP process? Will that ease the workload when the certificate has to be renewed? I  assume that any windows machine for example, has by default trusted root certificates - Verisign in its store and no further interaction should be needed on the client side.
  kind regards
  Boris

  hi there ..
  First we need to understand why a cert is importnat. A cert is used to create a tunnel that allows the wireless client to send their logon in a secure fashion. So if you could image a tunnel over wireless/wired between your client and the radius server.
  The idea of trusting the cert is SPECIFIC to the wireless client . You can choose to TRUST the cert or NOT. Totally client independent. Why this is important, suppose for a moment that someone comes into your place of business and broadcast from their AP your SSID. Your clients could attach to this AP. And suppose the run FREERADIUS on a small box. From this radius server this person sends a BOGUS cert. If you client isnt trusting the correct cert or not trusting ANY, your client will accept the bogus cert, build a TLS tunnel, and send their logon.
  Can you get a signed cert. Yes, most folks do as it eases deployment. Or if you have a PKI you can push your own cert.
  Also, note you can have your client really analyze the cert and only trust specific certs and cert common namesl exmaple ACS01-ABC.
  I hope this helps ..
  Please support the rating system if you find any of this helpful!

• ACS Not installing renewed SSL Certificate for PEAP/EAP-TLS?

  We recently renewed our SSL certificate through RapidSSL. While attempting to install the new certificate into ACS, I was given the prompt to showing the updated dates, confirmed and installed the new certificate, deleting the old. I restarted ACS, as required, but when trying to enable PEAP or EAP-TLS, I am getting the error "Failed to initialize PEAP or EAP-TLS authentication protocol because ACS certificate is not installed."
  The worst part, is that I when I tried to reinstall the old certificate, I am now getting the same problem.
  Any suggestions?

  Matt,
  How did you perform the CSR.... did you use ACS or OpenSSL? Also, did you verify that the certificate is in the trusted personal folder on the server?
  Scott

• ACS 4.2 RADIUS - Wireless - Certificates

  I setup our ACS 4.2 server for TACACS and also to provide RADIUS authentication for our WLAN and eventually will use it for 802.1x authentication for the LAN.
  I am not an expert on certificates. I called TAC to get assistance installing the self signed certificate on ACS. This allowed me to build and test my WLan. Now that I am near the point of going live with this I'd like to install a certificate that won't expire in 1 year.
  How do most people do this? We do have a windows 2003 server that acts as the Certificate Authority for other services. Should I be doing something with that? And how do most people get these certifactes deployed to the clients? by GPO?
  Clearly I am not very familiar with Certificates and I apologize for this, but reading about them is getting confusing, if someone could point me in the right direction that would be a big help! Thank you!
  Edit: I should mention I've been using PEAP with the self signed certificate. And currently manually installing the certificate on my test clients. As it is right now everytihng on my WLan works great: authentication, vlan assignment, etc. I'm just confused on the best practice for the certificate.

  ACS can only provide validity of one year. Using Microsoft CA you configure it for 5...6...7 years, depending upon your need.
  It is easy to handle and manage it via GPO.
  Two PEAP scenarios,
  Using peap without validate server option checked---> Easy to deploy as cert is required only on ACS.
  Using PEAP with validate server option checked---> Needs CA cert on each client.
  Also you can get the certs from vendors like Verisign, Entrust, Equifax , GeoTrust etc. The advantage with these certs are that we don't have to install CA on each client as it is installed by default on each operating system.
  Hope that helps!
  Regards,
  ~JG
  Do rate helpful posts