ACS Appliance fails to recognize an installed certificate

Answered Question
Oct 1st, 2007

When I install a certificate from the Windows CA-server, following the procedure from "Wired Dot1x version 1.05 Config guide" (Document ID 64068) and the "ACS SE User Guide", I have the following problem. If I want to change the "Global Authentication Settings", I get the warning "Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using ACS Certification Authority Setup page."


But if I check in "install a certificate", it says that the certificate is correctly installed and it is also added with the "Authority Setup" page.


I Already found the following in the AS 4.1.4 release notes: "disable the security agent, reinstall the certificate following the procedure and then re-enable the security agent".


I did this but I still get the same error, although the Security agent is turned off (I checked it in the console with the "show" command and the CSA is turned off).


Can anyone help me how to make it recognize the installed certificate?


P.S. I also see 2 devices in the AAA-server list:

-ACS01 (the name I gave it in the initial configuration). This one has an IP-address from the DHCP-server, although I specified NOT to use a DHCP but a static IP!


-Self: this one does have the static IP that I configured via the console ...


I Cannot delete one of these AAA-servers. Is this normal that there are 2 servers?

Correct Answer by Jagdeep Gambhir about 9 years 5 months ago

Bert,

Yes, it is normal to see two server in case of acs appliance. You need to make sure, that in


acs-->network configuration---> Proxy dis table ---> "forward to "box should have deleverence1 only and your server name should be in the left box.



Regards,

~JG


Please rate helfpful posts




Correct Answer by Jagdeep Gambhir about 9 years 5 months ago

Bert,

It seems that the CA certificate that you installed is either corrupted or not properly installed . What i would like you to do is to delete the CA certicate using the MMC on windows in ACS and then reinstall it.

You, also, need to install the CA root certificate in ACS. You can install the CA root certificate in System Configuration->ACS Certificate Setup->ACS Certificate Authority Setup.



Also incase you are using Verisign cert then you need to install VeriSign Intermediate CA Certificates.


https://www.verisign.com/support/verisign-intermediate-ca/index.html



Regards,

~JG






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Mon, 10/01/2007 - 05:03

Bert,

It seems that the CA certificate that you installed is either corrupted or not properly installed . What i would like you to do is to delete the CA certicate using the MMC on windows in ACS and then reinstall it.

You, also, need to install the CA root certificate in ACS. You can install the CA root certificate in System Configuration->ACS Certificate Setup->ACS Certificate Authority Setup.



Also incase you are using Verisign cert then you need to install VeriSign Intermediate CA Certificates.


https://www.verisign.com/support/verisign-intermediate-ca/index.html



Regards,

~JG






bert.lefevre Mon, 10/01/2007 - 05:25

Thank you for your quick reply.

The problem was indeed that the CA root certificate wasn't added with the Certificate Authority Setup. So the problem is now solved.


I've also noticed that it is necessary to mark the CA root certificate in the "Certificate Trust List" in order to solve my mentioned problem (this step is forgotten in several guides, including the Dot1x config guide).


One more question: do you think it is normal that there are 2 AAA-servers displayed ("ACS01" and "Self")?


thank you for your help!



Correct Answer
Jagdeep Gambhir Mon, 10/01/2007 - 05:35

Bert,

Yes, it is normal to see two server in case of acs appliance. You need to make sure, that in


acs-->network configuration---> Proxy dis table ---> "forward to "box should have deleverence1 only and your server name should be in the left box.



Regards,

~JG


Please rate helfpful posts




bert.lefevre Mon, 10/01/2007 - 05:49

Thank you,


I've checked the Proxy Dis table and my deleverence1 was on the left (in AAA-servers). The server name was on the right (forward to) so I had to switch them.



Actions

This Discussion