Installing Certificates on the ACS Appliance

Unanswered Question
Oct 22nd, 2007
User Badges:

We have a Cisco ACS appliance (Cisco 1113), and are having a little trouble getting certificates to work.


I had some instructions on generating a certificate on a windows server and installing it, but this ultimately resulted in a server that we couldn't reach from anywhere (because nobody had an appropriate client certificate) and I had to reload the server.


We can currently get PEAP to work with our windows clients and the server using a self-signed certificate, but for a wider implementation I'm still not sure what certificates need to be generated, which ones need to be placed on the server, which ones need to go on clients, and how to place them on the server and windows clients.


I realize this is a fairly large question, but the different documents I've seen out there are all slightly contradictory, and in any case are all written with the windows implementation of the cisco ACS in mind.


Any help would be most appreciated.


-Ben

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (8 ratings)
Loading.
Jagdeep Gambhir Mon, 10/22/2007 - 15:05
User Badges:
  • Red, 2250 points or more

Ben,

Please check the attached doc. That should take care of your questions.



Regards,

JG

Do rate helpful posts



Attachment: 
netopia Mon, 10/22/2007 - 15:50
User Badges:

Hello JG,


PEAP authentication is working. I want to use EAP type "Smart card or other Certificate" in the Windows client. When I choose a wireless network I get prompted to select "User name on certificate" and all I see are the client certificates I installed from my Windows servers. How can I generate and install a client cert using the Cisco ACS Appliance?

netopia Mon, 10/22/2007 - 18:55
User Badges:

Thank you. I was able to follow all the steps except #16. I don't have the same options mentioned in #16 on my Windows 2003 Server, which I use as my CA. I instead chose the option Request a certificate > User Certificate > Submit > Install this certificate.


When I am trying to connect with my wireless client, I get Authentication Failure-Codes on my Cisco ACS appliance:


1. External DB is not operational


I unchecked everything in the ACS Trust List except one name. Then I got the following error code:


2. Certificate name or binary comparison failed.


I then unchecked everything in my windows client except one name, where then I got the following error code:


3. EAP-TLS or PEAP authentication failed during SSL handshake.


What could it be, that is misconfigured?



netopia Mon, 10/22/2007 - 19:14
User Badges:

I forgot to mention just in case it matters in regards to the error codes I am getting, that in step#6-C of the EOP-TLS Guide it states "Enter a name for the private key file" and in step#10-J it asks "Enter the path to the private key from step 6 C". I didn't enter a path in step 6, I only entered a name. So in step 10, after downloading the server certificate to the Appliance, I just clicked "Submit". The file name in the private key box was the same I had entered in step#6-C. I didn't get an error, so I think that the key was accepted somehow internal from the Appliance.

Jagdeep Gambhir Tue, 10/23/2007 - 04:54
User Badges:
  • Red, 2250 points or more

When you generate a CSR, you are asked for the name of a private key file. This file is stored

(cached) on the appliance with the name you provided.



Regards,

~JG

netopia Tue, 10/23/2007 - 09:51
User Badges:

Good, that's what I had hoped for, especially since I was able to proceed with the cert and key installation.


Do you have any thoughts on my previous email regarding the different error codes?


Thanks.

netopia Tue, 10/23/2007 - 18:30
User Badges:

I was finally able to authenticate a Windows XP client after I checked all three options under EAP-TLS in System Configuration > Global Authentication Setup.


Now I have another challenge. I have a 802.1x supplicant (DSL gateway device), which is using a certificate that was generated by a different CA, not by my Windows 2003 server. I downloaded the CA certificate file (TestDSLGtwyDeviceRoot.cer), added it into the Certificate Trust List and enabled it (marked the box). When the supplicant is trying to connect, I get the following error code in the Cisco ACS appliance: Invalid Protocol Data. Unfortunately I have only been able to find a table with error codes, which doesn't have a description what the problem could be.


Should my 802.1x supplicant be able to authenticate with the given configuration, or is there anything else I need to do?


Once more, any assistance is appreciated.


Thanks.

bert.lefevre Thu, 10/25/2007 - 00:37
User Badges:

The basic steps that I followed (for ACS SE 1113) are these (I work with an external Windows CA-server).


1. download the CA root certificate from the CA-web interface to a FTP-server


2. Generate a signing request on the ACS-appliance (in "certificate setup") and copy this.


3. Go to the CA-web interface and choose

- request a certicicate -> advanced certificate request

- submit a certificate request by using a base 64-encoded ...


4. Paste the signing request output from your ACS SE into the "saved request" field.


5. choose for "web server" as certificate template.


6. Click "submit" and download the certificate to the FTP-server


7. On ACS SE, go back to "ACS certificate setup"


8. Choose ACS Certification authority setup and download the CA-root certificate (NOT the ACS-certificate!!) and click "submit" (+ restart)


9. go to Cetificate Trust List and mark the just-added CA root certicicate.


10. Go to "install ACS certificate" and download the ACS-certificate and install it.


11. Restart your services


On your Client (with CTA):


1. Install both the CA-root certificate and ACS-certificate, now it should work



Remark 1: on the client, it seems normal that you cannot always see the installed certificate via the Explorer-browser. You will see them via the MMC-console --> Certificates


Remark 2: make sure that on ACS SE, under "global authentication setup" in the EAP-FAST section, the option "require client certificate for authentication" is UNMARKED!

ngo duyen Thu, 01/20/2011 - 01:07
User Badges:


I have read this document:"Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients"

and I dont understand clearly: 'CA Certificate' and 'Server Certificate' .

pls help me.

Jatin Katyal Thu, 01/20/2011 - 04:39
User Badges:
  • Cisco Employee,

Helloz,


SERVER CERTIFICATE:

==================

It is a digital certificate that has been issued to a server and contains information about it. The main reason is that a certificate enables server authentication. It verifies the server's identity to the client. The client would need to have an access to the server certificate. The server sends the server certificate as part of SSL key handshake.



CA CERTIFICATE:

===============


Certification authority (CA) certificates are certificates that are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two CAs.


A certificate that is issued by a CA to itself is referred to as a trusted root certificate, because it is intended to establish a point of ultimate trust for a CA hierarchy.


Once the trusted root has been established, it can be used to authorize subordinate CAs to issue certificates on its behalf.


HTH


Jatin


Do rate helpful posts-

ngo duyen Thu, 01/20/2011 - 07:56
User Badges:

thank you for your helpfull answer.


I have seen the solution provide by bert.lefevre above.

is that the best solution for configuring certificate: wireless client with AD user, ACS SE 4.1 and PEAP?

And the client must Install both the CA-root certificate and ACS-certificate?

ngo duyen Thu, 01/20/2011 - 08:43
User Badges:

wow, that s easy .

this config for ACS. what about wireless client?


does the client have to Install both the CA-root certificate and ACS-certificate?


And Server certificate will be expire in 2 years, I try to config Microsoft CA server so It will expire 3 years or longer but I havent successed.

I think the CSR has info about '2 years' expire time. Is that right?


(I have to work with working system: AD user, ACS SE, PEAP; all wireless clients have root CA, ACS use self-signed cerificate and has root CA; self-signed ca expire every yeah. thats why I want to find out better solution so I wont have to do with ACS every year)


rated 5+

Jatin Katyal Thu, 01/20/2011 - 09:13
User Badges:
  • Cisco Employee,

You don't need to install ACS-server certificate on the client and why we should install server certificate on the client ...?


There is no validay period that is configured by default for third party certificates. Its in your and CA hand, you may go for 10 years.


This option only comes with self-singed where its 1 year and it can not be changed.


On the client you just need Root CA certificate if you want an option "validate server certificate" to be checked.


Setup client for peap authentication

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t20


HTH

Jatin


Do rate helpful posts-

ngo duyen Thu, 01/20/2011 - 09:32
User Badges:

thank you for fast reply. all thing clear. I have just believed all thing bert.lefevre post above

cisco support forum is wonderfull. I can have my answer very fast by searching and asking

Jatin Katyal Thu, 01/20/2011 - 11:38
User Badges:
  • Cisco Employee,

Glad, we could help you.

I would appreciate if you can mark this thread resolved so that other's can benefit from it.


Rgds,

Jatin


Do rate helpful posts-

ngo duyen Thu, 01/20/2011 - 18:46
User Badges:

I cant do b/c Iam not the owner of this thread.

Actions

This Discussion