Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problems with ACS 5.5 Trial and Primary / Secondary node registration

Hi,

I am currently trialing ACS 5.5. I have two ACS instances which I want to configure as a primary / secondary but whenever I try to register the secondary node to the primary, I get the following message:

"This System Failure occured: Registration failed due to Invalid Certificate. Your changes have not been saved. Click OK to return to the list page"

I have tried exactly the same on ACS5.4 and it works without issue.

Both appliances have a reliable NTP time configuration. I have tried resetting the management interface certificate, and evern re-creating the self signed certificate that controls management and eap, but this seems to just crash the box which cannot be recovered from without rebuilding the appliance.

Can anyone help ?

Thanks.  

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Problems with ACS 5.5 Trial and Primary / Secondary node registr

I think this relates to an additonal security control added in ACS 5.5. From the release notes I think this is the relevant section

Support for Trust Communication between Nodes in a Deployment—ACS introduces the Trust Communication feature to provide additional security for communication between the ACS instances in your deployment. When you enable trust communication in an ACS deployment, the primary and the secondary ACS instances verify their respective CA certificates before establishing a secure tunnel for communication. If the corresponding CAs are valid, they establish a secure tunnel between them. After a successful registration, the primary instance database is replicated to the newly added secondary instance. If the CA of an ACS instance is invalid, the ACS deployment rejects that ACS instance. You can enable trust communication on both the primary and secondary ACS instances. Or, you can enable it on either the primary ACS instance or the secondary ACS instance. However, for increased security, Cisco recommends that you enable trust communication on all the nodes in your deployment.

In other words there is an option to enable trust communicaiton between nodes (which is recommended for security purposes). If this is done need ot import the server certificate of the node joining the deployment in the trust list. If disable trust communication the system will revert to previous 5.4 behavior

8 REPLIES
Cisco Employee

Problems with ACS 5.5 Trial and Primary / Secondary node registr

I think this relates to an additonal security control added in ACS 5.5. From the release notes I think this is the relevant section

Support for Trust Communication between Nodes in a Deployment—ACS introduces the Trust Communication feature to provide additional security for communication between the ACS instances in your deployment. When you enable trust communication in an ACS deployment, the primary and the secondary ACS instances verify their respective CA certificates before establishing a secure tunnel for communication. If the corresponding CAs are valid, they establish a secure tunnel between them. After a successful registration, the primary instance database is replicated to the newly added secondary instance. If the CA of an ACS instance is invalid, the ACS deployment rejects that ACS instance. You can enable trust communication on both the primary and secondary ACS instances. Or, you can enable it on either the primary ACS instance or the secondary ACS instance. However, for increased security, Cisco recommends that you enable trust communication on all the nodes in your deployment.

In other words there is an option to enable trust communicaiton between nodes (which is recommended for security purposes). If this is done need ot import the server certificate of the node joining the deployment in the trust list. If disable trust communication the system will revert to previous 5.4 behavior

New Member

Problems with ACS 5.5 Trial and Primary / Secondary node registr

Brilliant! I didn't spot that, worked a treat, many many thanks!

Chris.

New Member

I was able to exchange server

I was able to exchange server certificates, but I get an error that the CA could not be verified (probably because they are self-signed certs...) I could not get a secondary instance to register with 5.5 unless I disabled Trust Communication on the primary and secondary boxes.  Any hints as to how to get primary to trust a CA for a self-signed cert?  I can't find anywhere to add CAs to the box.

New Member

Hi Derek, I have been unable

Hi Derek,

 

I have been unable to get trust communication working with self signed certs. If you are unable to use an approved third party to sign your root CA, then try openssl - this worked well for me.

 

Chris.

very  usefull

very  usefull

New Member

This is a very good thanks

This is a very good thanks for the assistance. Would there be any issues if you turned off the trust feature on both appliance?

New Member

System Administration ->

System Administration -> Configuration -> Global System options -> Trust communication settings -> uncheck the checkbox on both nodes.

New Member

This resolved the issue i was

This resolved the issue i was having.  Thank you for the information in your post.

6524
Views
20
Helpful
8
Replies
CreatePlease login to create content