AAA/Identity/Nac :: SSL Certificate Installation On Acs Appliance 1120 For PEAP Clients
Apr 18, 2011
I need this SSL certficate installation on my acs appliance 1120 for PEAP clients.I have exported SSL server certficate from my old acs 3.3 server which is under acscertstore folder issued by CA vendor . I need to reuse this same SSL certificate on my acs appliance .ACS appliance certficate setup requires following two certificate to be installed for PEAP clients authentication
1) Server Certificate
2) CA certificate
Server Certificate : For server certifcate , I have my old certificate which is exported from my old acs 3.3 server , when i tried to download my server certficate via ftp server on my acs appliance , its looking for private key & private key file .Private key & file is generated intially on CSR request when this server certificate is requested to CA vendor for my old acs 3.3 . I dont know the private key password . If i need private key & file , then i need to generate new CSR from my acs appliance and i need to submit this CSR output to my CA vendor to generate new SSL server certificate .which is something like new server certificate request .CA certficate : For CA certficate , when i open my existing SSL certificate under detials tab in CRL distribution point , i could see below URL . whn i open this URL it giving certificate revocation list . [1]CRL Distribution Point.
I have an acs 5.0 running on Cisco 1120 appliance. It has worked for 2 years. Suddenly, I discovered that user can no longer login with their credentials. On close examination, when I console, the booting does not complete. Screen shot attached.
I am running windows based acs 3.3 in my lan environment going to be replaced with acs 1120 appliance running acs 4.2.1.15 , ACS 3.3 database has been built upto 4.2.0.124 ,step by step by upgrade process
now my database is with 4.2.0.124 dmp file , I cannot upgrade my database to 4.2.1.15 because 4.2.1.15 patch is not applicable & executable on 90 days evalution package of 4.2.0.124 of windows platform .
can i import my windows based 4.2.0.124 datbase directly to my acs appliance running 4.2.1.15.3 ??? , else its requires any step to be done to modify the windows based databse matching to appliance windows verison once .
I could see on appliance under restore settings the following options (restore from 4.2.0 backup file to acs 4.2.1)
i am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of EAP_TLS under golbal authentication setup .
I have downloaded client supplicant certficate file for my windows XP machine .When i tried to authenticated i am finding following error message under failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
Need URL for patch 4.2.1.15.3 with comptaible for cisco acs appliance 1120 . Though its for appliance patch should be along with webserver . I have downloaded patch of SE its not comptaible to this hardware .
We have had an active ACS unit for many years now, and we've added a second one, both are 1121 Appliances. The newer one came with 5.4, so we upgraded the older one to 5.4.
We setup replication between the two, with the newer one primary and the older one secondary. Problem is, windows based clients are unable to authenticate to the older ACS appliance. The only problem we can see is that it indicates that adclient is not running, under Monitoring & Troubleshooting, ACS Health Instance Summary.
So... been trying to figure out how to correct this, yet have been hard pressed to find a knowledgebase article that works. So far, Cisco hasn't added my smartNet on the new box so I can get some support?
We are deploying BYOD with Cisco ISE 1.1.2 and WLC (5508) using 802.1x authentication.Windows clients cannot connect to 802.1x SSID with the following error on ISE:Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
The client doesn't have preconfigured wifi profile or root certificate installed.The concept of BYOD suppose that you can connect your device without any installed certificates and preconfigured wifi-profiles.
The problem is that Windows 7 supplicant does not send TLS alert in pop up window, when connecting to 802.1x SSID.If this alert is seen, than you can accept it and proceed the connection. After that you will be asked to install ROOT-cert, get your own cert and etc.So, the question is: how to make the windows supplicant to show the pop-up window with TLS alert?
p.s. the attached file shows the example of pop up TLS-alert window
disable telnet for ACS 1120 Appliance version 5.0.0.21 .is there anway to do it , not able to login via telnet and ssh it says wrong credentials but webgui is working fine with same user and password.
I was pondering on getting a certificate fro ma public CA to maintain easier configuration for end users. There will be a multitude of devices on this wireless network configured with 802.1x PEAP. (iPhones, iPADs, Droids, and PC's of course).
If you were to get a certificate from a public CA, I'm assuming this would be just a regular server certificate from GoDaddy, or Verisgn?
I'm in the process of setting up PEAP with ACS 5. From understanding the certificate that I generate is a server side certificate used between ACS and CA authority. However, according to the Cisco document that I'm using it sounds like I still have to install a certificate on the wireless clients that validate the server certificate. Is there a process to push this cert out via AD or do I need to manually install it and if I wanted can I get away with out checking the validate the server certificate on the wireless client?
A customer has RADIUS running on a Win Server 2008 R2 machine, has Autonomous 1140 APs and a mix of Windows 7 and XP Pro clients. Using PEAP as the authentication method the Win 7 clients can access the WLAN, but the Win XP clients cannot. The Win XP clients are at least SP2. I am doing some research before going to site on Friday and wanted to poll the community. I found an older post speaking to a MS Hotfix under KB#885453, but it referes to "third-party RADIUS servers," not MS servers URL.
I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
I have a WPA2/AES network with PEAP MsChapv2 authentication. I have 2 ACS servers for authentication. The problem I have is dropped clients. Both ACS servers are setup identical. The database replcation has been preformed.A series of 10 clients connects wirelessly and they are all successful. ACS server 1 is the primary and ACS server 2 is the backup. We verified that the 10 users authenticated to the primary ACS. My time out to reauth is 30 minutes on the WiSM. 10 minutes into the test we took down the Primary server. This should have had no impact on the clients. 5 minutes later the clients lost thier authentication and were dropped from the network. They were able to reconnect by shutting down thier wireless client and reconnecting. The authentications were seen on the Backup ACS server.on a test of falling back to the primary the same thing happened again to the clients.
I´m currently looking for a document that specify how many MAC addresses can be stored and authenticated via an ACS (1120)? I prefer to use the internal identity store over AD or LDAP for MAB authentication for 802.1X project. I would like to know what is the impact on the ACS? CPU/MEM? What is the impact on the user authentication? delay, timeout, etc.
We have downgraded cisco acs appliance 1120 from ACS 5.0 to ACS 4.2.1.15 , when we perform ICMP ping request to acs appliance its not responding , But i can do ping test from acs appliance on console mode not from GUI mode .
Is there any option to enable ICMP Ping response on cisco acs 1120 . else any patch to be upgraded to perform this action , my requirement is enable ICMP ping on acs appliance for troubleshooting . instead always check with telnet x.x.x.x 2002 for service responding
I encountered some strange issues with one of our appliances in the field. Reinstalled and encountered the strange issues. No errors.. did some memory test and the seagate harddisk test and encountered SMART errors. The device didn't log those errors anywhere.. First reason to check the second harddisk. The appliance is shipped with two so the first thing I was thinking of was RAID. I saw that raid wasn't configured. Try to boot the second harddisk and saw that nothing was on that disk.. so what is the mean reason you got two of those? Got the new machine and try some options to configure RAID.You got two options.. didn't see this before, most of the time you got only one option. Raid driver on or no RAID configuration at all. First tried the intel storage matrix, configured both of the disks for mirror and install the ACS 5.2. The machine boots after installs and rejects the DVD. Result: The installation doesn't boot! Checked the partition with gparted but the partition is active (or flagged as boot) Second option was LSI, got the raid configured for mirror and the installation was also completed. Result: working installation. Tried to test if the installation is still working after removing one of the disks. Appliance is complaining the the RAID is missing one disk (so this works). After that the machine tries to boot, result: no working ACS.
I have an ACS applicance that had a version 5.1 and i did an upgrade to 5.3 with latest patch.For some reason, the runtime process got stuck in (reinitializing and restarting) state.i did the recommended action to perform ACS stop and ACS start and even hard reset of the appliance, but it did not cut itThis process turned out to be a bug and it should have been fixed in version 5.3, but it has not i guess
i know that acs reset-config will solve the issue, but i have a problem here , the license file will be deleted as well with the config and i cannot find a way to export the license and then import it into the reseted config ACS hardware. Unfortunately, the license file is not saved anywhere in the company and i cannot affort to lose it.how to export the license from the applicance (CSACS-1120)?
I have configured the appliance everything is working fine.We have a remote syslog server and I have configured the remote syslog server details in the "Remote Log Targets" and and Logging Categories.But I cannot see any logs on my syslog server
i am configuring a Cisco Secure ACS 1120 appliance running ACS 5.0.0.21 to handle RADIUS request from a Cisco WLC 5508 appliance running version 7.0.116.0.these devices have open communication on all ports - no firewalls or ACL'sthey have successful ping communication The following statements illustrate some but not all the debugging I have done to ensure each device functions as it should in isolation.Using a simple windows RADIUS server (radserv2.exe) instead of the Cisco ACS This works and the WLC gets RADIUS response from my makeshift serverUsing a simple windows EAP client to query the ACS using RADIUS protocol this works and the ACS processes the RADIUS request and sends a responsePlaced a wireshark client on the network to inspect timeout. Wireshark logs the packet from the WLC to the ACS using port 1812 but doesn't see any packet responses from the ACS At the moment I have the WLC accepting the association from the wireless client and sending the RADIUS (PEAP, EAP-FAST or EAP-TLS) request to the ACS, the WLC receives no response and generates a timeout message and disassociates from the client. note this is not a reject or similar message, the ACS simple does not even process the packet. i.e. there is absolutely nothing in the ACS logs to suggest it even received a radius packet from the WLC. In summary the WLC and the ACS successfully function independently but they do not communicate via radius.
I have problem with ACS 5.0 on reporting. On "Monitoring and Report" page in Faverite Reports when i clicking on "Authentications - RADIUS - Today", My browser displays error "Error while reading skin-access.config. Please make sure the file exists and conforms to the schema specified"
I must also mention that I never upgraded the version of ACS from 5.0 also from command line all the acs services are running. It is running on CISCO 1120 Secure Access Controll Server apliance.
My second question is can I upgrade the version of ACS to 5.4 with Cisco Secure ACS 5 Base License?
When attempting to register an ACS instance to a primary (via System Administration -> Operations -> Local Operations -> Deployment Operations), I receive the following error as a popup in my browser:
"This System Failure occurred: /opt/CSCOacs/db/acs.crt (No such file or directory). Your changes have not been saved.Click OK to return to the list page."
I had 2 ACS 1120 appliances clustered, 1 suffered a hardware failure about a year ago so I replaced it with a VM. That one is now the primary. I'm now wanting to replace the secondary instance (the remaining 1120 appliance) with a VM as well. I removed the current appliance from the network, installed the VM using the same IP address, and attempted to register. It failed as per the above error. After trying this a number of times, I then decided to return the 1120 appliance to secondary status and attempted to register it with the same results as above.
i have 4 X ACS-1120. Each 2 are operating as an Primary and backup. I want to add a license in order for the ACS to support more than 500 networks which includes in the base license.As I understand this is the license required : L-CSACS-5-LRG-LIC= · Is this license applicable to ACS-1120 appliance with ver 5.2 ? – I understand that it is. for my scenario, do I need to purchase total of 2 X L-CSACS-5-LRG-LIC= (one for each environment, one license will serve 2 X ACS in Primary and Backup) or I need to purchase 4 licenses each for each ACS ? – I understand that one license will serve deployment of two ACS in primary and active scenario.
I'm trying to install a webauth certificate -- it works fine when unchained, however once I add the additional information the installation fails. I am using the same root and intermediate certificate information as last year, and it worked fine then. I can recreate last year's pem file with the chained information and it installs fine, so it's only when I include the new device certificate information that it fails. The certificate installs fine when it's not chained, I'm not receiving any openssl errors, and I'm not using openssl 1.0.
I'm trying to join a band new CSACS-1120 to our active directory without success. The process in it self should be pretty straigh forward, but so far no luck.
I've configured the relevant info under "Users and Identity Stores > External Identity Stores > Active Directory.
Active Directory Domain Name: xxx.com Username/Password : domain administrator account
When I test connection I get a info dialog "This machine is currently connected to domain xxx.com".After which I try to save changes which gives a reply ""This System Failure occurred: {0}. Your changes have not been saved. Click OK to return to the list page."
I've noticed that in the system log "show logging system tail" that I get a exception as soon as I enter the AD configuration page and subsequently every time I perform a action on that section.
Why the AD join keeps on failing and what the debug exception I'm getting means?
how the certificates work when using PEAP on ACS 5.2.Currently we have clients which are Cisco wireless IP phones that are using the ACS server(s) for authentication to the wireless network. The phones are configured to use PEAP with server validation enabled. The phones have a Godaddy root certificate, and Godaddy intermediate certificates installed on them, (in addition they have all the certs that are on the phone by default). On the ACS server there is a certificate that is signed by Godaddy. This was creating doing the CSR process etc...
So from what I understand, because all the phones are set up to validate the server certificate, they require the public root certs and the intermediate certs that are installed on them, in order to validate the private cert that is on the ACS server. The private certificate (the one signed and issued by Godaddy), expires the middle of next year (2014) (a little ways off I know, but it is never too early be concerned about stuff). When we go to get a new private certificate for the ACS servers (or get a renewal) and when we install this new signed certificate onto the ACS servers…will all the clients still trust this new certificate, and everything will continue to work smoothly? Or will the clients all need to have new root certs installed, and new intermediate certificates installed? From what I can gather I think the first scenario should be the case, because the root certs and intermediate certs are there to trust certs that are signed by Godaddy, so as long as the new private certificate is signed by Godaddy everything should be okay.
I have been trying to figure out for days now how to get Windows XP/Windows 7 and Apple iPads to connect to a broadcasted SSID and authenticate with PEAP without getting prompted to verify a certificate that exists on ACS.
In Windows 7, I get a window that says the connection attempt could not be completed and get a warning that the certificate could not be validated. If I manually configure a wireless connection and specify PEAP to accept my trusted root certificate authority (in the default list), it doesn't prompt but having users do this is not acceptable and more work than to just verify when prompted. I have no control over the devices connecting so I can't push anything down using GPOs.
For the iPad, I get a similar message that the certificate authority can't be verified and you have to accept.
For the certs, I have tried GoDaddy and Starfield. How to get this working without getting prompted to verify/validate a certificate authority? If so, what cert are you using? I have the intermediate certs installed in ACS and Windows and iPads see them because as soon as I delete, the screen that pops up changes to my actual cert.
Any good guide for configuring PEAP with Machine Authentication to allow for domain login?This is a clean install on a new 5.2 install.We are moving from 4.X to 5.2 and i want to make sure i dont miss anything.
I have ACS 1120 ACS appliance running ACS version 5.2.0.26.5 ,authenticating VPN users connecting from internet using radius protocol , we have requirement that VPN user account should be disabled by a specific date , Means user ID should be revoked when their contract expire connecting to our data center .
I know this feature is available on ACS version 4.2.,but i could not this feature set on ACS 5.2.0 when user account is created , whether any new sepicfic patch has this feature enabled after acs version 5.2.0.26.5.
With out this feature this set , i cannot ensure ID are revoked automatically ,when specific date come in to end user.
Cisco 5508 wireless controllerCisco ACS 5.1LDAP connection I have setup the wireless controller to do RADUIS authentication with the ACS 5.1 using LDAP. The setup is currently working, Brief info below on setup.
I setup the PC client to use WPA2-Enterprise AES and authentication method CISCO PEAP. When I connect to the SSID this will prompt for a username and password. I will enter in my AD details and the ACS with the LDAP connection will authenicate and on the network I go.
Now I want to add machine authentication with CERTIFICATES, each laptop and pc in our network has CA certificates installed.
way that I can add these certificates into the ACS 5.1 so I pretty much want to import them into the ACS. Once they are imported inside I want the ACS to check that the certificates are on the PC and then prompt for the AD username and password, and only once it meets these two conditions it allows the workstation onto the network.So it will be a two form authentication one with certificates and the other ldap.
I have a Cisco WLC talking to a ACS 4400 version 5.1 which in turn talks to Active Directory.Ive been trying to get 802.1x for wireless clients going, I have a cert on the ACS from verisign on the box but when users try to sign in they get 12309 PEAP handshake failed in the ACS RADIUS log.The cert was exported and placed directly on the testing laptop and at one point it all worked. I stepped away from it for 2 weeks to get a new internal CA built on a windows box, now coming back to it with the intent of issuing new certs to the ACS from the internal CA and thought I would check it to make sure all was good, but its not.Google doesn’t return happy results for “12309 PEAP handshake failed”, I opened a TAC case on it and they took my cert to their lab. Haven’t heard back.
