Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ACS 5.1 Certificate Setup for EAP - Exportable Certificate and Installation

 

 

Introduction

 

This document describes how to configure and install exportable certificate from Microsoft Windows 2003 software using CSR from Cisco Secure Access Control Server (ACS) 5.1 for Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2.

 

ACS 5.1 Certificate Setup

 

Configure Exportable Certificate for ACS

 

Note: The ACS server must obtain a server certificate from the enterprise root CA server in order to authenticate a WLAN PEAP client.

 

Note: Make sure that the IIS Manager is not open during the certificate setup process as causes problems with cached information.

 

  1. Log in to the ACS server with an account Admin rights.
  2. Go to System Administration > Configuration > Local Server Certificates. Click Add.

 

 

acs51-peap-deployment-48.gif

 

 

When you choose a server certificate creation method, choose Generate Certificate Signing Request. Click Next

 

 

acs51-peap-deployment-49.gif

 

 

Enter a certificate subject and key length as the example, then click Finish:

 

  • Certificate Subject - CN=acs.demo.local
  • Key Length - 1024

 

 

acs51-peap-deployment-50.gif

 

 

ACS will prompt that a certificate signing request has been generated. Click OK.

 

 

acs51-peap-deployment-51.gif

 

 

Under System Administration, go to Configuration > Local Server Certificates > Outstanding Signing Requests.

 

Note: The reason for this step is that Windows 2003 does not allow for exportable keys and you need to generate a certificate request based on the ACS Certificate that you created earlier that does.

 

 

acs51-peap-deployment-52.gif

 

 

Choose the Certificate Signing Request entry, and click Export.

 

 

acs51-peap-deployment-53.gif

 

 

Save the ACS certificate .pem file to the desktop.

 

 

acs51-peap-deployment-54.gif

 

 

Install the Certificate in ACS 5.1 Software

 

Perform these steps:

  1. Open a browser and connect to CA server URL http://10.0.10.10/certsrv.

 

 

acs51-peap-deployment-55.gif

 

 

The Microsoft Certificate Services window appears. Choose Request a certificate.

 

 

acs51-peap-deployment-56.gif

 

 

Click to submit an advanced certificate request.

 

 

acs51-peap-deployment-57.gif

 

 

In the advanced request, click Submit a certificate request using a base-64-encoded

 

 

acs51-peap-deployment-58.gif

 

 

In the Saved Request field, if browser security permits, browse to the previous ACS certificate request file and insert.

 

 

acs51-peap-deployment-59.gif

 

 

The browser’s security settings may not allow accessing the file on a disk. If so, click OK to perform a manual paste.

 

 

acs51-peap-deployment-60.gif

 

 

Locate the ACS *.pem file from the previous ACS export. Open the file using a text editor (for example, Notepad).

 

 

acs51-peap-deployment-61.gif

 

 

Highlight the entire content of the file, and click Copy.

 

 

acs51-peap-deployment-62.gif

 

 

Return to the Microsoft certificate request window. Paste the copied content into the Saved Request field.

 

 

acs51-peap-deployment-63.gif

 

 

Choose ACS as the Certificate Template, and click Submit.

 

 

acs51-peap-deployment-64.gif

 

 

Once the Certificate is Issued, choose Base 64 encoded, and click Download certificate.

 

 

acs51-peap-deployment-65.gif

 

 

Click Save in order to save the certificate to the desktop.

 

 

acs51-peap-deployment-66.gif

 

 

Go to ACS > System Administration > Configuration > Local Server Certificates. Choose Bind CA Signed Certificate, and click Next.

 

 

acs51-peap-deployment-67.gif

 

 

Click Browse, and locate the saved certificate.

 

 

acs51-peap-deployment-68.gif

 

 

Choose the ACS certificate that was issued by the CA server, and click Open.

 

 

acs51-peap-deployment-69.gif

 

 

Also, check the Protocol box for EAP, and click Finish.

 

 

acs51-peap-deployment-70.gif

 

 

The CA-issued ACS certificate will appear in the ACS local certificate.

 

 

acs51-peap-deployment-71.gif

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 06:49 AM
Updated by:
 
Contributors
Comments
New Member

Possible to provide an acs5.1 eap-tls deployment guide like this?