EAP-FAST Using ACS Self-Generated Certificate

Unanswered Question
Oct 8th, 2008
User Badges:

Hi, I have ACS Server generated certificate and the validy for this cert is only for 1 year. after 1 year i have to renew the cert and in the client site i have to install the client again. Is there any way i can push the newly generated cert to the client automatically. any suggestion ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Wed, 10/08/2008 - 18:36
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

EAP-Fast uses a PAC file that you specify on ACS. Is this what you are refering to.


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a6b.html#wp436787

mohanantassp Wed, 10/08/2008 - 18:57
User Badges:


Hi thank you for your reply, I dont have any 3rd party Certificate server so am using a self-generated Cert which generated in ACS Server for the client Authentication. Now every year i need to renew the certificate in the ACS Server and install in the ACS Server and also on the client site. Limitation in ACS Server Self generated cert was the validity is only for 1 year. After 1 year when i recreate another cert and install in the ACS Server i need install in all the client as well. Is there any way i can just push the certificate from the ACS to Client instaed of going to all client machine one by one.

Scott Fella Wed, 10/08/2008 - 19:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Are you using EAP-TLS or EAP-FAST? EAP-TLS requires a cert on the ACS and on the client. The other EAP types don't.

mohanantassp Wed, 10/08/2008 - 20:13
User Badges:

Hi, i got no access to the ACS now as am in a different location. we have enabled PEAP with EAP-MSCHAPv2 & EAP-GTC, and with this we have installed a "Self-Singed Ceritificate" in the ACS Server. Now after 1 year i have renewed the Certificate and for the client i need to install in each client again. any posibility for me to push the ceritificate from ACS or any other suggestion.

Scott Fella Wed, 10/08/2008 - 20:24
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

That is weird... PEAP does not require you to install a cert on the client side. Usually if you don't have "Validate Server CA" configured on the client side, the client doesn't care if there is a new certificate. Even if you validate the CA and you install a new cert, as long as the ACS is the same, you should still not see any distruptions. How are your clients configured?

mohanantassp Wed, 10/08/2008 - 22:35
User Badges:

hi, I believe when you configure your client machine using "PEAP with EAP-MSCHAPv2 and WPA 2 enterprise, you need to validate server certificate. also authenticate the user credential over the AD Server.


Actions

This Discussion

 

 

Trending Topics - Security & Network