Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
0
Helpful
6
Replies

EAP-FAST Using ACS Self-Generated Certificate

mohanantassp
Level 1
Level 1

‎10-08-2008 06:20 PM - edited ‎07-03-2021 04:35 PM

Hi, I have ACS Server generated certificate and the validy for this cert is only for 1 year. after 1 year i have to renew the cert and in the client site i have to install the client again. Is there any way i can push the newly generated cert to the client automatically. any suggestion ?

Labels:
0 Helpful
6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame

‎10-08-2008 06:36 PM

EAP-Fast uses a PAC file that you specify on ACS. Is this what you are refering to.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a6b.html#wp436787

-Scott
*** Please rate helpful posts ***
0 Helpful

mohanantassp
Level 1
Level 1

‎10-08-2008 06:57 PM

Hi thank you for your reply, I dont have any 3rd party Certificate server so am using a self-generated Cert which generated in ACS Server for the client Authentication. Now every year i need to renew the certificate in the ACS Server and install in the ACS Server and also on the client site. Limitation in ACS Server Self generated cert was the validity is only for 1 year. After 1 year when i recreate another cert and install in the ACS Server i need install in all the client as well. Is there any way i can just push the certificate from the ACS to Client instaed of going to all client machine one by one.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to mohanantassp

‎10-08-2008 07:51 PM

Are you using EAP-TLS or EAP-FAST? EAP-TLS requires a cert on the ACS and on the client. The other EAP types don't.

-Scott
*** Please rate helpful posts ***
0 Helpful

mohanantassp
Level 1
Level 1
In response to Scott Fella

‎10-08-2008 08:13 PM

Hi, i got no access to the ACS now as am in a different location. we have enabled PEAP with EAP-MSCHAPv2 & EAP-GTC, and with this we have installed a "Self-Singed Ceritificate" in the ACS Server. Now after 1 year i have renewed the Certificate and for the client i need to install in each client again. any posibility for me to push the ceritificate from ACS or any other suggestion.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to mohanantassp

‎10-08-2008 08:24 PM

That is weird... PEAP does not require you to install a cert on the client side. Usually if you don't have "Validate Server CA" configured on the client side, the client doesn't care if there is a new certificate. Even if you validate the CA and you install a new cert, as long as the ACS is the same, you should still not see any distruptions. How are your clients configured?

-Scott
*** Please rate helpful posts ***
0 Helpful

mohanantassp
Level 1
Level 1
In response to Scott Fella

‎10-08-2008 10:35 PM

hi, I believe when you configure your client machine using "PEAP with EAP-MSCHAPv2 and WPA 2 enterprise, you need to validate server certificate. also authenticate the user credential over the AD Server.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card