Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 4.1 - CA Certificate

Hi NetPro,

anyone who knows ACS 4.1 - Generate Self-Signed Certificate and Generate Certificate Signing request are only valid for 1 year ? How about 1 year later ? If I re-generate the Certificate will it be affected to my current authenticate users ? Example like user unable to connect PEAP after the certificate expired ?

your reply will be highly appreciated.

thanks .

regards,

Jackal

6 REPLIES

Re: ACS 4.1 - CA Certificate

Interesting question. I would say a connected user would be OK until they next reauthenticate at which point it will fail. If you generate a new self signed cert you will also have to install the matching root cert on all your clients = major hassle.

A better idea is to buy a cert with a long nough lifetime to last the lifetime of your solution. I always use www.rapidssl.com for my certs, a 5 year cert is about $300 and the root cert is already built into Windows, MACs, etc so no need to touch the clients.

Re: ACS 4.1 - CA Certificate

When you use a self sign certificate, you will always get a validation period of one year. This is a non-configurable setting and a limitation of using Self-Signed certificates.

It takes not more then 2/3 mins to install self sign cert again, so during that phase users will not be able to authenticate.

Regards,

~JG

Cisco Employee

Re: ACS 4.1 - CA Certificate

Leveraging ACS's built in certificate authority is great for testing and if you have a small group of laptops or handhelds however for larger installs that leverage AD for authentication you are better off using Windows 2000 or Windows 2003 certificate authority functionality otherwise you will have to regenerate the certificate and then install this new certificate into the certificate root store of each of machine that does PEAP authentication.

Follow this document if you have any questions about installing or configuring MS-PEAP with ACS 4.0 and Windows 2003 Directory Services.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml

I wrote the procedures if you have any questions.

New Member

Re: ACS 4.1 - CA Certificate

Hi,

thanks for replied, but i feel something is not right, for instance although my ACS 4.1 has expiry date but, for my client profile i didnt choose any CA server for authenticate. which mean my client didnt use phase 2 security which using certificate for authenticate. so, does it will face to authentication problem after 1 year ?

thanks a lot.

regards,

Jackal

Cisco Employee

Re: ACS 4.1 - CA Certificate

Got it. Let me force expiration on my ACS server but my gut feeling is that because you do not validate the CA on the client you will just need to regenerate the certificate and you will be good to go. However for best practices I would recommend you leverage the CA certificate and check that box otherwise your information is being sent unencrypted (unless you have a vpn session after connecting).

New Member

Re: ACS 4.1 - CA Certificate

Hi rmarg,

woww, the topic is getting interesting now. ok . i got it what u mean but i have implement WPA2 in my AP and for client profile i did choose the WPA2-Enterprise. so, does this consider unencrypted as well ?

regards,

jackal

306
Views
0
Helpful
6
Replies