Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Alerting on an expired certificate

Is it possible with ACS 5.x to send an alert when a certificate used for 802.1x is about to expire?

Everyone's tags (3)
3 REPLIES
Community Member

Alerting on an expired certificate

You can configure the parameters for each CA, which will apply to all the URLs that are configured to the CA. ACS supports two download modes, one for periodic download, and the other for downloading the next CRL update just before the previous is about to expire.

Community Member

Alerting on an expired certificate

I am actually looking at an instance when the certificate itself expires.

Cisco Employee

Hey Richard,There is an

Hey Richard,

There is an enhancement request filed for the same. Please take a look:

CSCul13208    ACS ENH Acsview certificate expiry alarm 

<B>Symptom:</B>
There should be generic alarms in ACS 5.x that will notify ACS administrator that Identity Certificate(s) will expire soon.
Similar alarms are included in ISE 1.2 in Alarm Settings ('Certificate Expiration' and 'Certificate Expired')

<B>Conditions:</B>
Using Identity Certificates in ACS 5.x configuration.

<B>Workaround:</B>
Configure alarm thresholds with Criteria for Failure Reasons like:
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate
however such alarms will be triggered after certificate expiry date.

 

you may want to configure alerts for particular Failure Reasons like i.e .
"Failure Reasons: 12520 EAP-TLS failed SSL/TLS handshake because the client rejected the
ACS local-certificate" and other you have listed below from the time problem happened:
"11514 Unexpectedly received empty TLS message; treating as a rejection by the client"
"12321 PEAP failed SSL/TLS handshake because the client rejected the ACS
local-certificate"
Such alerts will be triggered on above events only, so after certificate will be already
expired.

You can do it ACS View menu: Monitoring and Reports > Alarms > Thresholds > Add

 

Regards,

Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
751
Views
0
Helpful
3
Replies
CreatePlease to create content