×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco 3750 with integrated WLC, wpa2 ent, 802.1x and ms IAS.

Unanswered Question

So first post, I usually figure most of this stuff out. I have this all working with latest firmware etc, but I have more of a MS IAS issue than anything.


The Peap cert used is one generated for my IAS controller, but I have two things... I'd like it to be highly available (if I shutdown Ias#1 it uses ias#2 and has a different certificate as its host name dependent). Also, if I can get a certificate for both IAS servers (using ms cert authority, trusted by all my comp's etc), I'd like it to be more than a one year cert.


Both IAS servers are DC's, so when creating a cert request from Mmc cert snapin for machine, it has the template domain controller and only uses the machine name. I need to make a 2-5 year cert generic for IAS.


Thanks for any help.


Sent from Cisco Technical Support iPad App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Sun, 12/11/2011 - 19:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

In order to increase the default 1 year certificate, you need to create a new certificate template on your CA. Here is an example of creating a new template by using the duplicate feature.


http://technet.microsoft.com/en-us/library/cc755043(v=ws.10).aspx


Sent from my iPhone

sure, I understand and have done that, but only am prompted to use domain controller cert template.


Any thoughts about my other (poorly phrased now that i look at it) question about having multiple IAS servers using the same certificate? Right now if I shut down the primary IAS server, clients aren't able to join as the cert they have is for the primary IAS server. They have to delete the network and readd to get the other servers cert.


Sent from Cisco Technical Support iPad App

Stephen Rodriguez Tue, 12/13/2011 - 10:08
User Badges:
  • Purple, 4500 points or more

There are two thing you could do.


1.) use a GPO to push the certificate from IAS#2 to all your clients.

2.) under the PEAP config, uncheck the validate server certificate box.


With PEAP, the supplicant doesn't 'need/have' to have the server cert, it's an option.  When I'm testing, I alwasy uncheck this box.  You could test if the clients will failover to the other IAS with the option unchecked.


As for the cert, are both of these devices a CA, or are you using as self genereated cert?  If you have multiple IAS, you may want to promote a server to be a CA< and then issue both of these servers a cert from there.  Then you only need to have your CA root on the client, instead of each IAS.


HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network