I'm attempting to use EAP-TLS authentication for our Wireless clients.
We are using a MS Win2k CA and have followed the "User Guide for Cisco Secure ACS Solution Engine Version 4.0" and the "EAP TLS Deployment Guide for Wireless WAN Networks" White paper.
The issue I am having is when I download the Certificate (created on the Win2K server which is the CA in Base64-encoded X.509., 1024 key size etc), it demands a private key file. So we exported the Private Key file in Base64 and it generated a .pfx file. So this is all looking good. When we hit the submit button we get "Unsupported private key file format." We have read and re-read the doco but cannot find any guidance on the export of the private key file. We have now tried 8 different combinations on the export of the key file with the same result every time.
Where do you see the "Unsupported private key file format"? Is it in Cisco ACS when you try to generate cert under "Generate Certificate Signing Request"? This should be under "System Configuration - ACS Certificate setup".
Try to use ".pk" as the private key extension. I have similar problem before successfully getting them to work.
Certificate subject : cn=csacs-appl
Private key file : private-key1.pk <---- this format/extension works
The Error message appears when attempting to "Install ACS Certificate" on the ACS.
If we use the .pk extension the same error message is generated on the ACS.
Bear in mind the Certificate and Key has been exported from our Win2K CA server in our network, NOT from the ACS. We are trying to install a server certificate for the ACS generated using the "Advanced Certificate Request" on the MS CA server. We used the "Web Server" template as per section 6.2.1 Page 19 in the "EAP TLS Deployment Guide for Wireless LAN Networks".
If we use generate a Cert and Key file on the ACS (Generate Self-Signed Certificate) it works fine. But of no use for our production network which uses the MS CA's on all our client w/stations and Laptops.
I have successfully imp0lement similar setup with ACS 3.2 Appliance, with MS CA server to generate the cert for ACS and wireless client.
The only thing different is probably the way I import the digital cert from CA to ACS which is via FTP. This is due to the limitationof ACS 3.2 appliance when it was first release by Cisco. But I did a few experiment, and everything works fine.
Attached is my partial configuration for ACS, how to generate & import digicert to ACS via FTP.
Thanks for the files but ACS4.0 insists on a key with the Cert. We used your procedure but as no key is generated, we could not install the Certificate. We attempted to install the Cert on the CA to allow us to export the Key, but no luck there.
I have attached 2 files.
File 1 is the results of installing the Cert using your procedure and using our procedure to generate a cert and a key.
File 2 is the procedure we used for generating the Cert and the Key. Hope this is of use.
Thanks for the post. We resolved it last Friday. What the guide infers is that the Private Key is generated by the CA. It's not. It's generated by the ACS when the Certificate Signing Request is submitted.
We used this to get a Cert for the ACS from the CA and used the Private Key generated from the Cert Signing Request on the ACS.
The Cisco doco infers you have to download the Private Key via Ftp. You don't, it's already on the machine. This is what led us astray.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...