I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.
As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.
Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.
I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
Setup a Microsoft Certificate server as my
CA. You can use same machine wih your ACS and CA.
Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
At that poit you should be able to connect you r wireless client using EAP-TLS.
I need more clarification from your side plz, kindly be noted that I have stand alone ACS appliance but I arranged a CA server. Once I generated certificate signing request from ACS I got it on the right half page with the header said (Now your certificate signing request is ready. You can copy/paste it to any certification authority enrollment tool) what is the next step here!!
I managed to get both certificates for ACS and the supplicants and the EAP-TLS certificate was enabled but how I could upload the Server certificate to the ACS and install it !!
When you see the message copy and paste certificate signing request, caopy all those info(that is you servers info to request certificate from CA. Then open up a browser to access the CA (http://CA-address/certsrv), do that in ACS, then select "request a certificate'then advance cert request' then submit certificate request using ...'... from there follow the on screen instruction up to installing the certificate to the server...
the self signed certificate is mostly used to allow the HTTPS administration of the acs and allow peap authentication. the certificate the ACS created does cannot be used as a client certificate since the usage key of the certificate doesn't allow this and cause your pc probably doens't recognize the ACS as a trusted CA server.
you should check if the laptop you are using shows the acs certificate in the ca server list in the NIC configuration under authentication. if so then just mark the V beside it and the winXP should be able to use it.
hope you find what im talkig about... I've attached a picture for you.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...