cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
653
Views
0
Helpful
4
Replies

ACS Appliance fails to recognize an installed certificate

bert.lefevre
Level 1
Level 1

When I install a certificate from the Windows CA-server, following the procedure from "Wired Dot1x version 1.05 Config guide" (Document ID 64068) and the "ACS SE User Guide", I have the following problem. If I want to change the "Global Authentication Settings", I get the warning "Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using ACS Certification Authority Setup page."

But if I check in "install a certificate", it says that the certificate is correctly installed and it is also added with the "Authority Setup" page.

I Already found the following in the AS 4.1.4 release notes: "disable the security agent, reinstall the certificate following the procedure and then re-enable the security agent".

I did this but I still get the same error, although the Security agent is turned off (I checked it in the console with the "show" command and the CSA is turned off).

Can anyone help me how to make it recognize the installed certificate?

P.S. I also see 2 devices in the AAA-server list:

-ACS01 (the name I gave it in the initial configuration). This one has an IP-address from the DHCP-server, although I specified NOT to use a DHCP but a static IP!

-Self: this one does have the static IP that I configured via the console ...

I Cannot delete one of these AAA-servers. Is this normal that there are 2 servers?

2 Accepted Solutions

Accepted Solutions

Jagdeep Gambhir
Level 10
Level 10

Bert,

It seems that the CA certificate that you installed is either corrupted or not properly installed . What i would like you to do is to delete the CA certicate using the MMC on windows in ACS and then reinstall it.

You, also, need to install the CA root certificate in ACS. You can install the CA root certificate in System Configuration->ACS Certificate Setup->ACS Certificate Authority Setup.

Also incase you are using Verisign cert then you need to install VeriSign Intermediate CA Certificates.

https://www.verisign.com/support/verisign-intermediate-ca/index.html

Regards,

~JG

View solution in original post

Bert,

Yes, it is normal to see two server in case of acs appliance. You need to make sure, that in

acs-->network configuration---> Proxy dis table ---> "forward to "box should have deleverence1 only and your server name should be in the left box.

Regards,

~JG

Please rate helfpful posts

View solution in original post

4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

Bert,

It seems that the CA certificate that you installed is either corrupted or not properly installed . What i would like you to do is to delete the CA certicate using the MMC on windows in ACS and then reinstall it.

You, also, need to install the CA root certificate in ACS. You can install the CA root certificate in System Configuration->ACS Certificate Setup->ACS Certificate Authority Setup.

Also incase you are using Verisign cert then you need to install VeriSign Intermediate CA Certificates.

https://www.verisign.com/support/verisign-intermediate-ca/index.html

Regards,

~JG

Thank you for your quick reply.

The problem was indeed that the CA root certificate wasn't added with the Certificate Authority Setup. So the problem is now solved.

I've also noticed that it is necessary to mark the CA root certificate in the "Certificate Trust List" in order to solve my mentioned problem (this step is forgotten in several guides, including the Dot1x config guide).

One more question: do you think it is normal that there are 2 AAA-servers displayed ("ACS01" and "Self")?

thank you for your help!

Bert,

Yes, it is normal to see two server in case of acs appliance. You need to make sure, that in

acs-->network configuration---> Proxy dis table ---> "forward to "box should have deleverence1 only and your server name should be in the left box.

Regards,

~JG

Please rate helfpful posts

Thank you,

I've checked the Proxy Dis table and my deleverence1 was on the left (in AAA-servers). The server name was on the right (forward to) so I had to switch them.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: