Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Use ACS 5.4 for TLS authentication with a certificate not in the chain

Hi all,

I have ACS 5.4 installed, and several wireless environments.

One uses EAP-TLS to authenticate users from our domain (self signed cetificates)

Second use PEAP and need a real external cert... (Signed by Terena)

The problem is that I can only use one certificate for EAP authentication on ACS, and I need them both to work.

I see only 2 options:

1. Configure the TLS network to authenticate without having the ACS cert in the chain (use the real one)

2. Configure somehow to use two certificates, one for each service.

Please help... im desperate.

Thanks!

Naor

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Use ACS 5.4 for TLS authentication with a certificate not in the

You cannot have multiple server/identity certificates on ACS for different EAP flavors. As a best practice get the third-party certificate and check to associate the certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Use ACS 5.4 for TLS authentication with a certificate not in the

that's correct. The same identity/server certificate can be used for both eap authentication methods.

EAP-TLS deployment with ACS 5.x

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml

PEAP with ACS 5.x

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112175-acs51-peap-deployment-00.html

Let us know if you have any further questions.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Use ACS 5.4 for TLS authentication with a certificate not in the

yes you can use an external/public CA for EAP-TLS. Just make sure you have the complete certificate chain installed on the client and the server (including intermediate certificate).

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
8 REPLIES
Cisco Employee

Use ACS 5.4 for TLS authentication with a certificate not in the

Hi

ACS 5.4 supports user and machine authentication and change password against AD using EAP-FAST and PEAP with an inner method of MSCHAPv2 and EAP-GTC.

To run both EAP-TLS and PEAP at a same time, please go through the following link:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/admin_config.html#wp1201220

Cisco Employee

Use ACS 5.4 for TLS authentication with a certificate not in the

You cannot have multiple server/identity certificates on ACS for different EAP flavors. As a best practice get the third-party certificate and check to associate the certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Use ACS 5.4 for TLS authentication with a certificate not in the

Hi Jatin,

Thanks for your answer, it helped.

Just a verification question:

I can purchase a TERENA/VERISIGN/ETC certificate, install it on the ACS and use it to authenticate EAP-TLS and PEAP users?  GREAT! this is exactly what I need!!

Can you please reffer me to a guide how to do so?

Thanks!

Cisco Employee

Use ACS 5.4 for TLS authentication with a certificate not in the

that's correct. The same identity/server certificate can be used for both eap authentication methods.

EAP-TLS deployment with ACS 5.x

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml

PEAP with ACS 5.x

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112175-acs51-peap-deployment-00.html

Let us know if you have any further questions.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Use ACS 5.4 for TLS authentication with a certificate not in the

O.K, got it...

One more:

The EAP-TLS network is used with an MS Active Directory and uses a private CA to issue the certificates.

Can I use ACS with a public certificate to authenticate the users?

I thought that ACS must have a certificate fron the same certificate chain as the users. (issue a certificate for it from the local CA)

Thanks,

Naor.

Cisco Employee

Use ACS 5.4 for TLS authentication with a certificate not in the

yes you can use an external/public CA for EAP-TLS. Just make sure you have the complete certificate chain installed on the client and the server (including intermediate certificate).

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Use ACS 5.4 for TLS authentication with a certificate not in the

Hi,

How can I get the complete chain of an external real certificate? Like GlobalSign or Terena?

Is it possible to do so by myself?

Thanks,

Naor.

Cisco Employee

Use ACS 5.4 for TLS authentication with a certificate not in the

so when you generate a CSR and send to your certificate authority, they will provide you all set of certificates.

this site talk about different CA available and about their services

https://www.ssl247.com/ssl-certificates

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
808
Views
0
Helpful
8
Replies
CreatePlease login to create content