10-02-2007 04:18 AM - edited 03-10-2019 03:25 PM
I'm currently experiencing problems with the installation of the ACS-certificate on the client. I'm using an external CA-certificate that is correctly installed on the ACS-server (see other topic).
Now the clients also needs the ACS-certificate to be added so that a EAP-tunnel can be established between the client (Trust Agent) and the ACS-server.
Notice that the CA Root-certificate is added on the client under "Trusted Root Certificates" so that shouldn't be the problem.
When I'm using the supplied tool "ctacert.exe" like this:
ctacert.exe /add "C:\cert.cer" /store "root"
...I always get the following error:
"Cisco Systems Trust Agent Certificate has encountered a problem and needs to close. We are sorry for the inconvenience."
The next step I tried is to install the certificate manually (by double-clicking it and choosing the option "Install certificate"). I've chosen to install it in "Trusted Root Certification Authorities/Local Computer" (the so called physical store). This was successful. However, the certificate, for some reason, isn't placed in "Trusted Root Certification Authorities", but in the "Other People" store.
When I'm starting up the client-computer I get prompted for the username several times, and sometimes I receive the following pop-up prompt:
"You have no certificate in your personal store to be used as credentials for authentication with network Cisco Trust Agent 802.1x ..."
There aren't any ACLs and stuff on the testrouters so that can't be the problem.
Any help is greatly appreciated.
10-03-2007 02:04 AM
I always get the message ""You have no certificate in your personal store to be used as credentials for authentication with network Cisco Trust Agent 802.1x wired client, access
But, as the EAP-type is EAP-FAST, I thought that no certificates were needed on both sides to perform the tunnel? So I don't understand why he says that there isn't a personal certificate?
10-03-2007 06:50 AM
Looks like I found the solution myself:
My client is in a test Windows domain, but the ACS isn't yet configured for external user database use. So i'm only using the internal database.
If you're in the same test situation, make sure that under "Global Authentication Setup > EAP-FAST configuration" the option "Require client certificate for provisioning" is unmarked under "allow authenticated PAC provisioning". Otherwise, the EAP-FAST SSL-tunnel might not be established.
grtz
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: