Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS certificate problem!Plz help

Hi All,

I have ASA and I am using ACS server is a VM Ware applicance.

My question now is I would like to authenticate two different types of devices from a single Radius client.

Device 1 – Authenticating using Username and Password from Domain1 and Device Certificate from CA1

Device 2 – Authenticating using Username and Password from Domain 2 and User Certificate from CA2

Can a single Cisco ACS server be configured to do this? If not can 2 Cisco ACS servers be configured to do this bearing in mind it is a single Radius client which can only direct authentication traffic to a single Radius server?

I am using EAP method as a local certificate for that CA which is been istalled on the ACS and that cert which is locally needs to be assigned to the EAP Protocol.

Hence to proceed further I want to authenticate EAP against  a second certificate authority. I can load a local certificate from this CA as well but the EAP protocol can only be assigned to one cert at a time so EAP authentication to this CA fails.

EG: I see the certificate cert1 under System Admin->Config -?Local certi -? Issueby cert1 protocol:EAP.

Error on the client says : No root certificate installed to validate authentication.

Any update on this would be appriciated.

Thanks in advance.

Regards

Alex.

3 REPLIES
Cisco Employee

Re: ACS certificate problem!Plz help

Hi,

yes it's quite easy. ACS can authenticate against 2 CAs, you simply have to add those 2 CA certificates in the CA trust list.

I think you have a kind of confusion on the certificate topic.

The certificate you install on ACS must be a certificate that the client will trust.

The client certificate must be a certificate that ACS trusts.

To trust the client certitificate, it must be issued by a CA that the ACS trusts to be more precise so it just requires you to have added that CA to the trusted Authorities in ACS.

For the client to trust the ACS, the ACS certificate needs to have been issued by a CA that the client trusts. So if your client are from multiple different domains, then you need to manually install the ACS certificate (or its CA) on the clients.

Hope this clarifies.

Nicolas

===

don't forget to rate answers that you find useful.

New Member

Re: ACS certificate problem!Plz help

This is what I am tried to configure but it fails. If you could provide me your email address I can send you the screen shots.

Cisco Employee

Re: ACS certificate problem!Plz help

I have a personal policy of not giving my email address to everyone sorry :-)

But you can attach screenshots to forum messages so that everyone enjoys them.

The place to go to trust several CAs is : system config-> ACS certificate setup - > edit certificate trust list. This allows you to enable the trust against those CAs.

But before that you need to have uploaded the CA cert in "ACS Certification Authority Setup"

204
Views
0
Helpful
3
Replies
CreatePlease login to create content