Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Installing Certificates on the ACS Appliance

We have a Cisco ACS appliance (Cisco 1113), and are having a little trouble getting certificates to work.

I had some instructions on generating a certificate on a windows server and installing it, but this ultimately resulted in a server that we couldn't reach from anywhere (because nobody had an appropriate client certificate) and I had to reload the server.

We can currently get PEAP to work with our windows clients and the server using a self-signed certificate, but for a wider implementation I'm still not sure what certificates need to be generated, which ones need to be placed on the server, which ones need to go on clients, and how to place them on the server and windows clients.

I realize this is a fairly large question, but the different documents I've seen out there are all slightly contradictory, and in any case are all written with the windows implementation of the cisco ACS in mind.

Any help would be most appreciated.

-Ben

18 REPLIES

Re: Installing Certificates on the ACS Appliance

Ben,

Please check the attached doc. That should take care of your questions.

Regards,

JG

Do rate helpful posts

New Member

Re: Installing Certificates on the ACS Appliance

Hello JG,

PEAP authentication is working. I want to use EAP type "Smart card or other Certificate" in the Windows client. When I choose a wireless network I get prompted to select "User name on certificate" and all I see are the client certificates I installed from my Windows servers. How can I generate and install a client cert using the Cisco ACS Appliance?

Re: Installing Certificates on the ACS Appliance

Here is the EAP-TLS guide

New Member

Re: Installing Certificates on the ACS Appliance

Thank you. I was able to follow all the steps except #16. I don't have the same options mentioned in #16 on my Windows 2003 Server, which I use as my CA. I instead chose the option Request a certificate > User Certificate > Submit > Install this certificate.

When I am trying to connect with my wireless client, I get Authentication Failure-Codes on my Cisco ACS appliance:

1. External DB is not operational

I unchecked everything in the ACS Trust List except one name. Then I got the following error code:

2. Certificate name or binary comparison failed.

I then unchecked everything in my windows client except one name, where then I got the following error code:

3. EAP-TLS or PEAP authentication failed during SSL handshake.

What could it be, that is misconfigured?

New Member

Re: Installing Certificates on the ACS Appliance

I forgot to mention just in case it matters in regards to the error codes I am getting, that in step#6-C of the EOP-TLS Guide it states "Enter a name for the private key file" and in step#10-J it asks "Enter the path to the private key from step 6 C". I didn't enter a path in step 6, I only entered a name. So in step 10, after downloading the server certificate to the Appliance, I just clicked "Submit". The file name in the private key box was the same I had entered in step#6-C. I didn't get an error, so I think that the key was accepted somehow internal from the Appliance.

Re: Installing Certificates on the ACS Appliance

When you generate a CSR, you are asked for the name of a private key file. This file is stored

(cached) on the appliance with the name you provided.

Regards,

~JG

New Member

Re: Installing Certificates on the ACS Appliance

Good, that's what I had hoped for, especially since I was able to proceed with the cert and key installation.

Do you have any thoughts on my previous email regarding the different error codes?

Thanks.

New Member

Re: Installing Certificates on the ACS Appliance

I was finally able to authenticate a Windows XP client after I checked all three options under EAP-TLS in System Configuration > Global Authentication Setup.

Now I have another challenge. I have a 802.1x supplicant (DSL gateway device), which is using a certificate that was generated by a different CA, not by my Windows 2003 server. I downloaded the CA certificate file (TestDSLGtwyDeviceRoot.cer), added it into the Certificate Trust List and enabled it (marked the box). When the supplicant is trying to connect, I get the following error code in the Cisco ACS appliance: Invalid Protocol Data. Unfortunately I have only been able to find a table with error codes, which doesn't have a description what the problem could be.

Should my 802.1x supplicant be able to authenticate with the given configuration, or is there anything else I need to do?

Once more, any assistance is appreciated.

Thanks.

New Member

Re: Installing Certificates on the ACS Appliance

The basic steps that I followed (for ACS SE 1113) are these (I work with an external Windows CA-server).

1. download the CA root certificate from the CA-web interface to a FTP-server

2. Generate a signing request on the ACS-appliance (in "certificate setup") and copy this.

3. Go to the CA-web interface and choose

- request a certicicate -> advanced certificate request

- submit a certificate request by using a base 64-encoded ...

4. Paste the signing request output from your ACS SE into the "saved request" field.

5. choose for "web server" as certificate template.

6. Click "submit" and download the certificate to the FTP-server

7. On ACS SE, go back to "ACS certificate setup"

8. Choose ACS Certification authority setup and download the CA-root certificate (NOT the ACS-certificate!!) and click "submit" (+ restart)

9. go to Cetificate Trust List and mark the just-added CA root certicicate.

10. Go to "install ACS certificate" and download the ACS-certificate and install it.

11. Restart your services

On your Client (with CTA):

1. Install both the CA-root certificate and ACS-certificate, now it should work

Remark 1: on the client, it seems normal that you cannot always see the installed certificate via the Explorer-browser. You will see them via the MMC-console --> Certificates

Remark 2: make sure that on ACS SE, under "global authentication setup" in the EAP-FAST section, the option "require client certificate for authentication" is UNMARKED!

New Member

Re: Installing Certificates on the ACS Appliance


I have read this document:"Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients"

and I dont understand clearly: 'CA Certificate' and 'Server Certificate' .

pls help me.

Cisco Employee

Re: Installing Certificates on the ACS Appliance

Helloz,

SERVER CERTIFICATE:

==================

It is a digital certificate that has been issued to a server and contains information about it. The main reason is that a certificate enables server authentication. It verifies the server's identity to the client. The client would need to have an access to the server certificate. The server sends the server certificate as part of SSL key handshake.


CA CERTIFICATE:

===============


Certification authority (CA) certificates are certificates that are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two CAs.

A certificate that is issued by a CA to itself is referred to as a trusted root certificate, because it is intended to establish a point of ultimate trust for a CA hierarchy.

Once the trusted root has been established, it can be used to authorize subordinate CAs to issue certificates on its behalf.


HTH


Jatin


Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Installing Certificates on the ACS Appliance

thank you for your helpfull answer.

I have seen the solution provide by bert.lefevre above.

is that the best solution for configuring certificate: wireless client with AD user, ACS SE 4.1 and PEAP?

And the client must Install both the CA-root certificate and ACS-certificate?

Cisco Employee

Re: Installing Certificates on the ACS Appliance

I would suggest you to follow the attached doc. We have everthing there what you're looking for.


HTH

Jatin


Do rate helpul posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Installing Certificates on the ACS Appliance

wow, that s easy .

this config for ACS. what about wireless client?

does the client have to Install both the CA-root certificate and ACS-certificate?

And Server certificate will be expire in 2 years, I try to config Microsoft CA server so It will expire 3 years or longer but I havent successed.

I think the CSR has info about '2 years' expire time. Is that right?

(I have to work with working system: AD user, ACS SE, PEAP; all wireless clients have root CA, ACS use self-signed cerificate and has root CA; self-signed ca expire every yeah. thats why I want to find out better solution so I wont have to do with ACS every year)

rated 5+

Cisco Employee

Re: Installing Certificates on the ACS Appliance

You don't need to install ACS-server certificate on the client and why we should install server certificate on the client ...?


There is no validay period that is configured by default for third party certificates. Its in your and CA hand, you may go for 10 years.


This option only comes with self-singed where its 1 year and it can not be changed.


On the client you just need Root CA certificate if you want an option "validate server certificate" to be checked.


Setup client for peap authentication

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t20


HTH

Jatin


Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Installing Certificates on the ACS Appliance

thank you for fast reply. all thing clear. I have just believed all thing bert.lefevre post above

cisco support forum is wonderfull. I can have my answer very fast by searching and asking

Cisco Employee

Re: Installing Certificates on the ACS Appliance

Glad, we could help you.

I would appreciate if you can mark this thread resolved so that other's can benefit from it.


Rgds,

Jatin


Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Installing Certificates on the ACS Appliance

I cant do b/c Iam not the owner of this thread.

2617
Views
38
Helpful
18
Replies