Cisco AAA/Identity/Nac :: Multiple EAP Certificates In ACS 5.2?
Feb 10, 2011
I want to use multiple cert (enterprise certs and verisign cert) for authentication in wireless.Users that have their computer in the domain should use EAP-TLS and PEAP (verisign) are for users in the domain but on non-domain computers.I can only enable one certificate in system adminstration->local server certificates-> local certificates to use EAP.I have installed both enterprise and verisign cert in the CA store in User and Identy store and enbled the enterprise cert for EAP-TLS.The EAP-TLS connection works fine when the enterprise cert is enabled for EAP (in local certificates) but PEAP does not. If I enable EAP on the verisign cert in local certificates the enterprise cert get EAP disabled and that authentication stops working av PEAP starts working.
Is the ACS5.2 only able to have one certificate enabled at the time for EAP?
View 10 Replies
ADVERTISEMENT
Sep 4, 2012
I have an ASA5540 running 8.4(3) which has CA and identity certificates from godaddy.com installed, identifying the ASA to VPN remote users (the are using the anyconnect client.) There is also a separate certificate server located on the inside LAN that is used for internal purposes. All client workstations have identity certs from this internal server.
We would like to be able to continue using the existing godaddy CA/identity certs to identify the ASA to the clients, but we'd like to use the internal CA server to identify the clients when they initiate the AnyConnect session to the ASA.
I have seen other postings that state you cannot have more than one vert on an interface, but this is a little different - only one cert needs to be used to identify the ASA. The other one is only to identify the users. The ASA did allow me to import the internal CA cert.
View 4 Replies
View Related
Jan 31, 2012
I have generated request and our CA server gave us two files, one is certificate from CA itself, one is the certificate CA created for the ACS. I used the "Bind CA Signed Cerficate" under "local certificated"Option to bind the latter. it shows successful.and a web access from any pc will give you error info, "that the security certificate presented by this website was issued for a different website's address." And all the while I dont know how to deal with the other file, which is "Internal CA certificates" I was try to use the first option import server option, but it seems not right,
View 1 Replies
View Related
Apr 23, 2013
how the certificates work when using PEAP on ACS 5.2.Currently we have clients which are Cisco wireless IP phones that are using the ACS server(s) for authentication to the wireless network. The phones are configured to use PEAP with server validation enabled. The phones have a Godaddy root certificate, and Godaddy intermediate certificates installed on them, (in addition they have all the certs that are on the phone by default). On the ACS server there is a certificate that is signed by Godaddy. This was creating doing the CSR process etc...
So from what I understand, because all the phones are set up to validate the server certificate, they require the public root certs and the intermediate certs that are installed on them, in order to validate the private cert that is on the ACS server. The private certificate (the one signed and issued by Godaddy), expires the middle of next year (2014) (a little ways off I know, but it is never too early be concerned about stuff). When we go to get a new private certificate for the ACS servers (or get a renewal) and when we install this new signed certificate onto the ACS servers…will all the clients still trust this new certificate, and everything will continue to work smoothly? Or will the clients all need to have new root certs installed, and new intermediate certificates installed? From what I can gather I think the first scenario should be the case, because the root certs and intermediate certs are there to trust certs that are signed by Godaddy, so as long as the new private certificate is signed by Godaddy everything should be okay.
View 8 Replies
View Related
Jun 7, 2012
I have a Cisco 4506 With IOS 12.2 54SG1
Iam new on Acs 4.2 and i want to use Certificates to authenticate my windows XP Client and Igels.
On Windows Xp i selected : IEEE 802.1X Authentication enable EAP (Peap)
But i dont understand the Certification of ACS 4.2.
I generated a Self-Signed Certificate. Is this right ? and under installed Certificates the Certificate Status is okay.
Do i have to create for each windows Machine one user Account under user-Setup to authenticate the Machine?
Where do Windows Xp know whitch Certificate he have to take ?
I configures the Switch on Global Configuration like this:
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
[Code].....
Iam triying to configure ist szenario till 4 days and it still dont work.. On Windows i Only get the Error" authentication failed" on the Switch the same : dot1x : Authfailed
View 3 Replies
View Related
Sep 25, 2011
I'm looking for samples about anyconnect 2.x with PKI authentication through ASA 8.x and ACS 5.2.The CA could be a internal Microsoft CA.
View 8 Replies
View Related
Jan 10, 2012
When I tried to import the file, there are two lines there, One is Certificate file, the other is for "Private Key File".
My question for you is, is this the private key of CA? My understanding has always been that the private key stays in CA only, not going to any other devices.
View 2 Replies
View Related
Apr 25, 2010
A PC with a machine cert gets connected to a switch running 802.1x. The switch uses EAP with .1x to query PC, handing this off to ACS, that bit I'm ok with. The ACS needs to query the CA server to authenticate the PC, its this process I'm not sure about.
Reading the documentation I think that I need to configure LDAP between the ACS and the CA, which is running on 64-bit 2008 server. But, ACS SE remote agent is 32 bit only.
Is this correct, if so how do I get ACS SE to communicate with a 64-bit 2008 CA server?
View 8 Replies
View Related
Apr 3, 2012
I have been trying to figure out for days now how to get Windows XP/Windows 7 and Apple iPads to connect to a broadcasted SSID and authenticate with PEAP without getting prompted to verify a certificate that exists on ACS.
In Windows 7, I get a window that says the connection attempt could not be completed and get a warning that the certificate could not be validated. If I manually configure a wireless connection and specify PEAP to accept my trusted root certificate authority (in the default list), it doesn't prompt but having users do this is not acceptable and more work than to just verify when prompted. I have no control over the devices connecting so I can't push anything down using GPOs.
For the iPad, I get a similar message that the certificate authority can't be verified and you have to accept.
For the certs, I have tried GoDaddy and Starfield. How to get this working without getting prompted to verify/validate a certificate authority? If so, what cert are you using? I have the intermediate certs installed in ACS and Windows and iPads see them because as soon as I delete, the screen that pops up changes to my actual cert.
View 5 Replies
View Related
Apr 29, 2013
Getting ready to order a SSL Certificate for my newly installed ACS 5.4 and before I did that i want to verify if ACS 5.4 supports Wildcard SSL's.
View 5 Replies
View Related
Sep 17, 2012
I'm working on task to update the SSL certificate for an application. steps to upgrade the SSL, stuffs need to be checked before and after the installation and how to verify the new certificates.
View 1 Replies
View Related
Aug 28, 2012
I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working
- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.
- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
Reason I need to configure it this way is:
- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address.
- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).
View 4 Replies
View Related
Aug 15, 2012
I understand that Cisco Secure ACS 5.3 supports the integration with existing external identity repositories such as Windows Active Directory and LDAP servers. In fact, in my environment, my ACS 5.3 is now integrated with AD and RSA.My question here is can Cisco Secure ACS 5.3 integrate with "multiple" WIndows AD, LDAP, RSA Server etc.? if yes, is there a Cisco document stating this? The keyword here is multipple.
View 4 Replies
View Related
Sep 25, 2011
I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.
View 1 Replies
View Related
Aug 9, 2012
I do have a quick question about Cisco ACS 5.3 and multi domain authentication. How is it exactly handled?
Can I join more than one domain with the ACS server? Or do I still need to configure that bidirectional trust relationship between those AD forests (even with the ACS 5.3)?
View 5 Replies
View Related
Jun 28, 2011
I've inherited some ACS appliances from another part of my organization. I need to keep most of the settings but want to remove all the AAA clients; and preferably not one-by-one. I don't see a way in the documentation and web searches have proven fruitless.
View 1 Replies
View Related
Feb 3, 2013
I have acs 4.2 for windows installed on a windows server 2003 box, because of a merger I need to now authenticate against 2 different domains, there is a bidirectional trust between the two domains and the dial-in permission has been set in ADUC but whenever I try to authenticate a user it says dial-in permissions needed in the acs failed authentication log.
View 5 Replies
View Related
Jan 7, 2013
Currently on ACS 5.2 and our MS Active Directory is migrating to a completely new domain. There will be a two way trust between them for the 24 month migration period. How best to configure ACS connect to both domains?
View 2 Replies
View Related
May 23, 2011
We have an ACS 5.2 server connected to an AD domain controller which has several trusted domains. (domain1, domain2, domain3) We currently have to specify which domain each user belongs to (ie, domain1user) in order to connect. We would like to only have to enter the user name without the prefix, (ie, user1) and have ACS automatically check each domain for a match. Is this possible with ACS 5.2? I seem to remember this was possible with ACS 4.2.
View 2 Replies
View Related
Jan 24, 2012
Can operate simultaneously multiple external DB in ACS 4.2?Mutiful External DB server is AD and Token server
View 1 Replies
View Related
Feb 7, 2012
We currently use ACS 4.2 for authentication of corporate users who are accessing the network in 2 different ways:
1) VPN client (via ASA5510)
2) Wireless (EAP-PEAP)
For all users who currently access the network via either of the above 2 methods, the Password Authentication under User Account settings in ACS is set to query an RSA SecurID Token Server.
We would like to try achieve the following in ACS:
IF an access request comes from the ASA (VPN clients), THEN we would like the user's password authentication to be handled by the RSA SecurID Token Server as it currently is. IF an access request comes from the Wireless LAN controllers THEN we would like to use EAP-TLS authentication. (We are aware that we would obviously need to configure the WLC, clients, PKI infrastructure etc accordingly for eap-tls).
View 1 Replies
View Related
Jun 4, 2013
Using Sha1 for Cisco 7925g and sha256 for data. Two separate CA's, one EnTrust (SHA1) the other Local Wondows CA (SHA256); ISE can only use one at a time to process a particular protocol (ie..EAP-TLS, HTTP, etc...) As a result we have to have a separate PSN just for Wireless and Wired VoIP (which can only hold SHA1 RSA1024).
View 5 Replies
View Related
Nov 27, 2011
is there a way to have multiple instances of user custom attributes and insert those as multiple instances of the A/V Pair in the authorisation profile in ACS 5.2/5.3 ?Background: We have to migrate a ACS 4.2 to 5.3. In ACS 4.2 our client used the multiline attribute
Number
#Name
#Description
#Type of Value
#Inbound/Outbound
[code]....
to specify multiple routes to various networks in the RADIUS reply spcific for every single PPP username of routers dialing in.Using the internal user database, extended by a string attribute and using that attribute as source of a dynamic value in the access-policy works basically. But as I have only ONE single line instance of the attribute for every user, I can only return ONE framed-route.We have lots of cases where multiple routes have to be assigned to one router.I 'd like to avoid defining a seperate access profile for every remote RAS router for external PPP Dial-In...[URL]
View 1 Replies
View Related
Sep 3, 2011
We having ACS version 5.2 0.26 with Active/Standby. We need to integrate active directory with ACS. Domain name given by Server team was as xyzcompy.local. When I tried to resolve the same domain name I got five servers ip address against the same domain name. however we given the ip reachability to only for two servers. We we try to save we get error saying that "Can not resolve the network address".
So my questions are;
- does ACS should have ip reachaibility to all five servers
- does the username/password we entered in the ACS should have domain admin rights?.
- the given AD is configured with windows NTP [URL] but when we configured ACS as windows NTP it was taking local server as active NTP..?
When we check the ACS logs, we saw the following error;
in acsLocalStore:
AdminName=acsadmin, DomainName=qatarconvention.local, ADOperationResult=unable to create secured connection against AD server, switching to non-secured connection. javax.naming.CommunicationException: simple bind failed: qnccad02.xxxxconvention.local:636 [Root exception is java.net.SocketException: Connection reset],
in ACSADAgent;
32484]: INFO dns.findsrv FindSrvFromDns failed: res_query failed _ldap._tcp.xxxxconvention.local
Sep 4 12:43:20 acs01-cc4 adjoin[32484]: INFO cli.adjoin Join to domain 'xxxxconvention.local', zone 'null' failed.
I attached some screen print which saw the error and output of nslookup for the domain name.
View 3 Replies
View Related
Jan 14, 2013
I have multiple campuses and a Central Admin...I've created Groups for all, except I need a few devices within Central to be available to the Campus Admins... (ie..a Cisco WCS System) How do I allow a device to be put into multiple NDG groups?
View 1 Replies
View Related
Oct 2, 2012
So we have multiple ISE Servers with differing personals. I was having an issue with our new ISE setup not identifying AD Group Attributes when using them in Authorization rules. We have 2- 3395 appliances running Admin and Monitoring/Troubleshooting Personas and 2- 3395 appliances running as Policy server personas. We are running v1.1.1.268 with the latest two patches. I was unable to pull Active Directory Group Attributes in any of my Authorization rules. After Resyncing all the boxes with the Primary Administration box I was able to do this. There is no bug listings for this occurrence nor do we have Smartnet to call support for other reasons.
View 3 Replies
View Related
May 25, 2011
I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
View 3 Replies
View Related
Feb 26, 2013
I use ACS 5.3.0.40.8 with TACACS+ servicing Device AAA and RADIUS servicing the Cisco Wireless environment for AD user access. How can I implement 802.1x with the current RADIUS implementation with hindering current wireless users or am I hindered due to the EAP-GTC in use with PEAP via RADIUS?
View 3 Replies
View Related
May 4, 2011
I'm working with a 1113 ACS device running the 4.2.0.124 software. I'm trying to get multiple network device groups to use an existing Remote Agent set up for authentication against our Windows domain. For instance, we want our infrastructure switches to authenticate agains the local Active Directory and our WLC to authenticate users agains the same Active Directory. When I try and set both network device groups to use the same remote agent, it fails and reports either the host name is already in use or the IP address overlaps with an existing remote agent.
The question is:
Can I have multiple network device groups use the same remote agent? Or do I have to install the remote agent software on separate Windows servers in order to have different types of devices authenticate against the Windows AD?
View 1 Replies
View Related
Aug 27, 2012
I have access to an ASA running 8.4 and I need to copy the config to another one, to have it has as a spare.All configuration has coppied fine except for this part in the config;
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=GS2-NT-FIR-01
proxy-ldc-issuer
crl configure
[code]....
So firstly, I assume this certificate is for the SSL vpn that is configured on the ASA? Secondly, this wouldn't copy across (the HEX part). But I believe this ASA is using a self signed cert so instead I probably ned to generate a new one on this spare ASA, so how do I do that?
View 3 Replies
View Related
Aug 8, 2011
I am delving into the world of Certificates and the ASA. I am having the HARDEST time grasping this though. I've poured over Cisco whitepapers, been reading through books and things just aren't solidifying in my head. So my question is, how do Certificates for SSL work on the ASA? Where does the data transmit and how does an ASA talk to a CA and User for things?
Lets do this basic topology for the discussion:
End User------SSL VPN---> ASA--->Internal CA
So in theory we are supposed to create a certificate and install it on the ASA and then set the outside interface to trust that cert?
How do identity certs and root certs also work out on the ASA? I have instructions that pretty much say
Create RSA key
Create new trustpoint
cry ca auth newtrustpoint
cry ca enroll newtrustpoint
cry ca import ?
So what are all of these steps specifically doing? Also in ASDM it shows a normal Certificate and an Identity Certificate. I can't really figure out the difference between the two. Does one cert talk to the CA and the other identify the ASA to the CA?
View 7 Replies
View Related
Aug 16, 2012
My ASA's have the follwing Versions: ASA Version 8.4(3) ASDM Version 6.4(7)Have I a chance to configure a site-to-site tunnel with a hostname as peer address when I will use Identity and CA Certificates?
View 2 Replies
View Related
Dec 5, 2011
I want to use a different certificate by connection profile. Is-it possible on ASA 8.4 ?
My first certificate is for vpn.itcom.fr associated to one connection profile and my second is for vpn.newitcom.fr associated to a second connection profile.
View 2 Replies
View Related
