Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Installing ACS Certificates for EAP-TLS Does not work

Hi all,

I have two problems.

I Generated a ACS CSR and sent this to my windows people and they issued my ACS with a certificate. Cool.

I go to download it onto the ACS and I have to put a "Private key file" in?

What is this file? and where do I get it from? Is it that long string of characters that the CSR generate, that I sent to the windows boys?

Also, I did manage to just put any old rubbish in there? and I was suprised it accepted it.

Restarted the IS service and tried to enable eap-tls on the "global authentication setup" page to only get the message

Failed to initialize PEAP or EAP-TLS authentication protocol because CA

certificate is not installed. Install the CA certificate using "ACS

Certification Authority Setup" page"

Now I am a little confused, as is this because if have setup the ACS incorrectly, because of my mis-understanding of what this private key file is and how it relates to whatever?

Many thx indeed,

Ken

  • Security and Network Management
2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: Installing ACS Certificates for EAP-TLS Does not work

I am having the same problem. It seems that when the windows guys generate a cert it has to be exportable, which will give you the private key file also. i have tried the following document without any success. it may work for you though, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml

i have also tried having ACS generate a self signed certificate, which works. But on the client you have to uncheck the box that says validate the server certificate because the ACS is not a trusted certificate servers. Right now I am trying to figure out how to have AD publish the ACS as a trusted cert server so windows knows to trust the cert from ACS. Through all of this I have found that you can set it up several ways, the hard part is finding a way that works for you.

Hall of Fame Super Silver

Re: Installing ACS Certificates for EAP-TLS Does not work

Have you guy's looked at this doc. This will work even though it is for PEAP. With EAP-TLS, you will do the same excep request the certificate from the client.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

Just make a note of this when you request a cert it is in the above doc.

Note: Microsoft has changed the Web Server template with the release of the Windows 2003 Enterprise CA so that keys are no longer exportable and the option is greyed out. There are no other certificate templates supplied with certificate services that are for server authentication and give the ability to mark keys as exportable that are available in the drop-down. Therefore, you need to create a new template that does so.

Here is a doc for ACS and EAP-TLS:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml#acs-1

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
16 REPLIES
New Member

Re: Installing ACS Certificates for EAP-TLS Does not work

I am having the same problem. It seems that when the windows guys generate a cert it has to be exportable, which will give you the private key file also. i have tried the following document without any success. it may work for you though, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml

i have also tried having ACS generate a self signed certificate, which works. But on the client you have to uncheck the box that says validate the server certificate because the ACS is not a trusted certificate servers. Right now I am trying to figure out how to have AD publish the ACS as a trusted cert server so windows knows to trust the cert from ACS. Through all of this I have found that you can set it up several ways, the hard part is finding a way that works for you.

Anonymous
N/A

Re: Installing ACS Certificates for EAP-TLS Does not work

Anonymous
N/A

Re: Installing ACS Certificates for EAP-TLS Does not work

Anonymous
N/A

Re: Installing ACS Certificates for EAP-TLS Does not work

Hall of Fame Super Silver

Re: Installing ACS Certificates for EAP-TLS Does not work

Have you guy's looked at this doc. This will work even though it is for PEAP. With EAP-TLS, you will do the same excep request the certificate from the client.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

Just make a note of this when you request a cert it is in the above doc.

Note: Microsoft has changed the Web Server template with the release of the Windows 2003 Enterprise CA so that keys are no longer exportable and the option is greyed out. There are no other certificate templates supplied with certificate services that are for server authentication and give the ability to mark keys as exportable that are available in the drop-down. Therefore, you need to create a new template that does so.

Here is a doc for ACS and EAP-TLS:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml#acs-1

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
New Member

Re: Installing ACS Certificates for EAP-TLS Does not work

Many thx guys,

So with a clear head this morning and thx for the links, I have extracted exactly what I need to do and will re-attempt.

Will update all soon, and here is the ACS "Appliance" extracted info.

Thx to all, as always, what a group of people we have here!!!

Thx

Ken

Hall of Fame Super Silver

Re: Installing ACS Certificates for EAP-TLS Does not work

Doc looks good. Let us know if you get it to work or not.

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
New Member

Re: Installing ACS Certificates for EAP-TLS Does not work

Hi, Fella and Ben,

Excellent stuff. took the peap stuff and tool out the appliance only details and it all worked.

Its all about not double clicking on the private key stuff when installing the cert and a couple of other little funnies as described in the red notes.

Many thx to all of you :)

Now just have to get it all working and client authenticated to the ACS. One thing at a time :))

Kind regards,

Ken

Hall of Fame Super Silver

Re: Installing ACS Certificates for EAP-TLS Does not work

Well that is good news. Yeah.... one thing at a time.

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
776
Views
0
Helpful
16
Replies
This widget could not be displayed.