Solved: PEAP Hardware ACS appliance

littledavewhite · ‎07-21-2007

Hi I have a client wanting to upgrade to PEAP, they have configured a CA and certificate and want to use the ACS for the radius part. Does anybody have any experiance of getting the certificate onto a acs appliance and how to get the mschap portion working with windows. I can see lot of info on using a acs on a windows platfrom but very little on the hardware acs.

andrew.brazier · ‎07-27-2007

Windows certs sound good "hey, it's FREE" but when you try and implement it it's such a pain it's easier to buy one. AND if you buy one from rapidssl (or Thawte or Verisign) then the good news is that the root cert is built in to Windows/IE so no client side deployment needed! Everybody wins.

View solution in original post

andrew.brazier · ‎07-23-2007

On the ACS SE, go to System Configuration, ACS Certificate Setup, Generate Certificate Signing Request and complete the form. Note that in the Certificate Subject the best format to use is: cn=acs.company.com,c=gb (note the C for country code, important!) The Private Key File can be called something like c:\cert.pvk.

Set the key length to 1024 (2048 won't work with wireless) and click submit. That will generate a Certificate Signing Request visible in the web browser. Copy this and save it as a text file with a .cer extension.

Submit the CSR text file to your CA and it will generate a response file which is your certificate. You can open this file with a text editor and copy the contents (make sure you copy ALL the data in the file). Go back to the ACS and go to System Configuration, ACS Certificate Setup, Install ACS Certificate. You can paste in the certificate data and enter the private key information then click install. If all is well it will install the cert and display it's details.

You can the go to go to System Configuration, ACS Certificate Setup, Global Authentication Setup and configure EAP.

The adminguide for the ACS SE is here:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_book09186a00805895bb.html

I'd check what I've described against the guide, I'm going from memory! : )

littledavewhite · ‎07-23-2007

thanks for this, i'll let you know how i get on.

Jagdeep Gambhir · ‎07-23-2007

Hi,

Check out this PEAP guide.

Regards,

~JG

littledavewhite · ‎07-26-2007

Andrew, wonder if you can help.

I have created a certificate request on the acs and copied this into a text file. i then go to the CA and submit new request. i then get an error stateing no template information. i have created a template for acs with exportable keys but i cannot see were you apply the template to the initial request.

andrew.brazier · ‎07-26-2007

Hmmm, I guess you're using a Windows CA you've configured yourself? I try and avoid this as it's rather tricky but it can be done! Rather than type it all out there's a very good description of what to do in the following config guide:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns617/c649/cdccont_0900aecd8040bbd8.pdf

Start on page 99 with step 5. You will also need to extract the root cert from your CA (steps 1-4) and import that into your ACS SE from an FTP server and edit the trusted CAs (think that's what it's called) list so your CA is trusted.

OR you could save yourself a whole load of hassle and buy a cert online from www.rapidssl.com. It's $59 for a 1 year cert, the order process takes about 20 minutes tops and you don't need to worry about adding root certs to your ACS (still need to edit the trust list though) or PCs. Much easier!

littledavewhite · ‎07-27-2007

Hi Andrew

managed to get it working and ftp the cert over to the ACS. The windows setup for the certificates is a nightmare !! You mentioned buying a cert, when you receive it do you have to put this on the acs and the clients? any idea on deploying it to the clients? you can probably tell certificates and PKI are not my strong points. Thanks for all the help so far, at least i'm nearly there.

andrew.brazier · ‎07-27-2007

Windows certs sound good "hey, it's FREE" but when you try and implement it it's such a pain it's easier to buy one. AND if you buy one from rapidssl (or Thawte or Verisign) then the good news is that the root cert is built in to Windows/IE so no client side deployment needed! Everybody wins.

littledavewhite · ‎07-28-2007

Anfrew

I think the penny has finally dropped, the client needs to have the trusted root cert that is alreday in windows? the cert you purchase for the ACS SE, has been derived from the root or the chain of certificate servers. So i can buy a cert and then input this into the ACS, the only issue is that i will have to pay for a new cert every 12 months or on expiry. If this sounds right please let me know. Thanks for all your help on this one.

andrew.brazier · ‎07-29-2007

You got it! : )

Just one thing about "bought" certs, you can buy a cert with a lifetime of more than 1 year, rapidssl can provide a 1, 2, 3, 4, or 5 year cert, the 5 year is about $300 so it's pretty cheap.

Rob Huffman · ‎07-29-2007

Hi Andrew,

5 well deserved points here for your good work! Very informative :)

Take care,

Rob

andrew.brazier · ‎07-29-2007

Rob,

Many thanks for your kind words, glad it was of some use. : )