I have two problems.
I Generated a ACS CSR and sent this to my windows people and they issued my ACS with a certificate. Cool.
I go to download it onto the ACS and I have to put a "Private key file" in?
What is this file? and where do I get it from? Is it that long string of characters that the CSR generate, that I sent to the windows boys?
Also, I did manage to just put any old rubbish in there? and I was suprised it accepted it.
Restarted the IS service and tried to enable eap-tls on the "global authentication setup" page to only get the message
Failed to initialize PEAP or EAP-TLS authentication protocol because CA
certificate is not installed. Install the CA certificate using "ACS
Certification Authority Setup" page"
Now I am a little confused, as is this because if have setup the ACS incorrectly, because of my mis-understanding of what this private key file is and how it relates to whatever?
Many thx indeed,
Have you guy's looked at this doc. This will work even though it is for PEAP. With EAP-TLS, you will do the same excep request the certificate from the client.
Just make a note of this when you request a cert it is in the above doc.
Note: Microsoft has changed the Web Server template with the release of the Windows 2003 Enterprise CA so that keys are no longer exportable and the option is greyed out. There are no other certificate templates supplied with certificate services that are for server authentication and give the ability to mark keys as exportable that are available in the drop-down. Therefore, you need to create a new template that does so.
Here is a doc for ACS and EAP-TLS:
I am having the same problem. It seems that when the windows guys generate a cert it has to be exportable, which will give you the private key file also. i have tried the following document without any success. it may work for you though, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml
i have also tried having ACS generate a self signed certificate, which works. But on the client you have to uncheck the box that says validate the server certificate because the ACS is not a trusted certificate servers. Right now I am trying to figure out how to have AD publish the ACS as a trusted cert server so windows knows to trust the cert from ACS. Through all of this I have found that you can set it up several ways, the hard part is finding a way that works for you.