Cisco AAA/Identity/Nac :: Cannot Import Certificate To CSACS SE 4.2
Mar 2, 2009
I cannot import certificate from CA (Certificate Authority). When I attempt to install the certificate to CSACS SE 4.2, the following error occurs during installation: "Unsupported private key file format".
View 7 Replies
ADVERTISEMENT
Jun 3, 2012
Do you know the procedure of import SSL certificate from Godaddy to ASA 5510? attached is the drop-down list that I have to choose from.
View 5 Replies
View Related
Sep 27, 2012
Can I import a self signed certificate from a Cisco 871 router to a Cisco ASA 5505? The 5505 replaced the 871 and I have a VPN that goes to another company that we have a connect to. The device on the other end is a VPN concentrator ( I do not have access to modify this device without going through multiple channels.) I only need to mimic this device for the site to site VPN tunnel only. It appears that there are no pre-shared keys only a self signed certificate.
View 1 Replies
View Related
Jul 24, 2011
I'm currently in the process of the setting up a new wireless network and I want to test out our 7925 phones on it. When I try uploading the certificate to the phone it fails and I find the following error in the trace logs
[code]...
I created this certificate using using Windows Server 2003 and it is 2048 bits. This certificate works fine with my laptop but I'm unable to upload it to the phone. The app load currently on the phone is CP7925-MFG-D.8.LOADS. Are there any specific guidelines out there when creating a certificate for a Cisco 7925 phone?
View 2 Replies
View Related
Feb 29, 2012
I am trying to import a SSL certificate into this device - Cisco SPS2024 (FW: 1.0.6 ( date 30-Aug-2011 time 15:45:47 )) but without sucess. I have allready did this task on another models through CLI (Cisco SRW224G4 - through the lcli) or on Cisco SG300. I can create certificate request with:
switch(config)#crypto certificate 1 generate key-generate
switch#crypto certificate 1 request cn "sw.localdomain" or "..." ou "..." loc "..." st "..." cu "..."
and that last command gives me plaintext certification request that I will sign with my certification authority. to this time, everything is clear and perfect.
And now, I have signed certificate according generated certificate request and I want to import it. And now I am in stuck, because I have not found any useful command to do this action. For import certificate, I have found only following command:
switch# crypto certificate 1 import pkcs12 WORD
also I dont exactly understand this command because there is no parameter to specify any url from which will be fetched pkcs12 certificate... just WORD parameter as the pkcs12 passphrase. nothing like as on another switch models on which there is following command:
switch2(config)# crypto certificate 1 import <CR>
after executing the command line will waiting for pasting the signed certificate to console. And on SPS2024 there is no any similar command to doing this. So in final, I cannot import certificate signed by my certificate authority, I can just generate self signed certificate directly on device and use only this one
View 2 Replies
View Related
Dec 8, 2011
I am tasked to Configure an ACE 4700 for SLB. This has been done and working. Am also further tasked to create a secure communication between tha ACE and Exchange server. I need the breakdown of steps required to Import certificate from the exchange server, and how to verify that things are working.
View 3 Replies
View Related
Dec 3, 2012
I am performing a deployment, in which i require clarity on the following. Our setup has DC and DR , in each site we have two devices for HA.We have received One SSL Certificate from Public CA, Kindly clarify the following doubts i have on thisIn Doc, i found Cert.pem and key.pem is required to generate the pair ,do i receive both Cert.pem and key.pem from the CA or we can generate key.pem from Cert.pem ?SSL Offloading is planned for the X application, and it is running in both DC and DR ( Considering each having their own Public IP address ) , do i need to have two different public certificates or a single certificate can i use in both DC and DR.Load Balancing IssueIs it possible to configure in ACE to access the service in Business hours and in non Business hours to display HTML page showing this is available only during these hours ?In DC we have Three Web Servers ( only in One physical server the service is active, other two are backup ), and these three servers are under cluster and shares one cluster IP , In ACE we have created the VIP and Pointed to only Cluster IP ( like pass through only ). The issue we face is if active web server is down, even then ACE is sending the traffic to that webserver only instead of sending it to the new Active web server. let us know if any solution is there to overcome this issue ?as per my understanding instead of giving cluster IP as real server IP we can issue the three physical servers. now i dont require load balancing between three servers instead require failover king like if first server is down then it should forward to Second server ?
View 4 Replies
View Related
Aug 11, 2011
Is it possible to have Dual NIC on ACS v5.2 such as teaming or any else??
I am thinking of connecting the two NIC on the CSACS-1121-K9 appliance to two switches on the same network, but wondering if it will be possible or not.
View 1 Replies
View Related
Jul 22, 2012
I have an ACS applicance that had a version 5.1 and i did an upgrade to 5.3 with latest patch.For some reason, the runtime process got stuck in (reinitializing and restarting) state.i did the recommended action to perform ACS stop and ACS start and even hard reset of the appliance, but it did not cut itThis process turned out to be a bug and it should have been fixed in version 5.3, but it has not i guess
i know that acs reset-config will solve the issue, but i have a problem here , the license file will be deleted as well with the config and i cannot find a way to export the license and then import it into the reseted config ACS hardware. Unfortunately, the license file is not saved anywhere in the company and i cannot affort to lose it.how to export the license from the applicance (CSACS-1120)?
View 3 Replies
View Related
May 7, 2013
Does the new UCS hardware change anything ?Can we bundle 2 NICs somehow to get interface redundancy ?If still not possible to configure that in ACS 5 itself:Can it enentually be done on the "hardware" level within the appliance firmware (UCS BIOS) ?(RHEL would provide NIC bonding,,, unfortunately its not accessable from ACS5 CLI)
View 6 Replies
View Related
Jan 30, 2012
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
View 3 Replies
View Related
May 29, 2013
We upgraded a CSACS-1121 from ACS 5.2 to ACS 5.4 with CLI Application upgrade ACS_5.4.0.46.0a.tar.gz FTP After ACS reboot, services never start... After 15 hours, we always get same message:
ACS/admin# show application status acs
Application initializing...
Status is not yet available.
Please check again in a minute.
We installed patch 5-4-0-46-2.tar.gpg but we got same issue for 2 hours ...What could I do?
View 4 Replies
View Related
Apr 18, 2011
I'm trying to join a band new CSACS-1120 to our active directory without success. The process in it self should be pretty straigh forward, but so far no luck.
I've configured the relevant info under "Users and Identity Stores > External Identity Stores > Active Directory.
Active Directory Domain Name: xxx.com
Username/Password : domain administrator account
When I test connection I get a info dialog "This machine is currently connected to domain xxx.com".After which I try to save changes which gives a reply ""This System Failure occurred: {0}. Your changes have not been saved. Click OK to return to the list page."
I've noticed that in the system log "show logging system tail" that I get a exception as soon as I enter the AD configuration page and subsequently every time I perform a action on that section.
Why the AD join keeps on failing and what the debug exception I'm getting means?
View 3 Replies
View Related
Aug 21, 2012
We have 2 CSACS 1121 with Cisco ACS 5.2.0.26.10 The primary server manages 20000+ authentications per day. Its memory utilization increases everyday. It is now at 83% , there a limit?,What will happen when memory utilization reach this limit?,What can we do to purge memory utilization? (reboot, service restart.
View 11 Replies
View Related
Oct 19, 2012
i am working on ISE 1.1.1, surprisingly i couldn't found certificate authority certifiate at certificate operation anymore.
would it be the change on GUI? So now where i can import the CA certificate to ISE?
View 5 Replies
View Related
Dec 6, 2010
I'm trying the csv file import and getting some errors.
010-12-07 14:23:47: File Format Validation Completed2010-12-07 14:23:47: Import Started
2010-12-07 14:23:47: Record number: 1, Host 01-02-03-04-05-06: Import Failed2010-12-07 14:23:47: null Import process failed for unexpected reason: Unknown error has accurred.2010-12-07 14:23:47: Import Completed With errors
-------- Summary --------Total Number of Records Processed:1Number of Records Failed:1Number of Records Imported:1---------- End ----------Please refresh the table to see the changes.
On some other tries I get null field or missing fields.
It actually creates the host, but on editing it I get the following message:
An unexpected error has occurred. To continue your work, reselect the option in the left navigation bar.If you continue to receive the unexpected error message, close your browser and log in to ACS again.If you still receive the unexpected error message, contact your system administrator or technical assistance.
MACAddress:String(64):Required,description:String(1024),"enabled:Boolean(true,false):Required",HostIdentityGroup:String(256),VLAN:String(256):Required,attr-Expiration Date:Date(yyyy-Mmm-dd)01-02-03-04-05-06,AAATest,true,,Guest,2010-Dec-08
View 3 Replies
View Related
Mar 21, 2012
on ACSv5.2...are there any limitations on the number of users that can be imported via CSV file...i.e. will the ACS handle 250,000 internal users for example?
View 1 Replies
View Related
Jan 10, 2012
When I tried to import the file, there are two lines there, One is Certificate file, the other is for "Private Key File".
My question for you is, is this the private key of CA? My understanding has always been that the private key stays in CA only, not going to any other devices.
View 2 Replies
View Related
Mar 27, 2013
I have some VSAs to import into my 1113 box, but I am stuck before I can even start :-( I have an accountActions.csv file containing some VSAs (this is just a test csv file.) I also have an FTP server that is accessible from the 1113 system.
When at the GUI for the 1113 I do System Configuration --> RDBMS Synchronization I get the RDBSM Synchronization Setup screen all right. I have entered all the parameters associated with the FTP server, and selected manual synchronization. The problem is that there are no entries in the AAA Servers window at the Synchronization Partners section at the bottom, and therefore I can't get the 1113 to retrieve my accountActions.csv file, an action that (I guess) is triggered by clicking on the Synchronize Now button.
I do have an AAA Server defined in the 1113. It's a RADIUS server called Self, not assigned to any NDG.I guess I do not understand this at all. I just want to import some external VSAs. Do I need to have an external AAA server to accomplish this? If not, how do I get my local Self server to appear in the list of synchronization partners?
View 1 Replies
View Related
May 17, 2011
Trying to use the "File Operations" option to import hosts into ACS. I go through the wizard and click "Finish", the pop up goes blank and just hangs there. No errors are generated.
View 2 Replies
View Related
Apr 17, 2013
I have multiple AAA Clients that I need to add. The way I manage the clients, I often make changes of moving IPs from one group to another. I require that all clients use "IP Ranges". I try import the following IPs (8.8.8.1;8.8.8.3;8.8.8.9-10;8.8.8.25) I need them all to be ranges, but what happens is after I import it, I then go to that AAA Client, it makes them all "IP Range(s) By Mask" and siplays it like this.
View 4 Replies
View Related
Apr 7, 2013
between fields in import template file (add or update) for internal users is no column for expiration date ([URL]). This field is not defined also for export file.
My question is: (How) is it possible import new users (or update existing) into internal db with expiration date field?
View 3 Replies
View Related
Sep 21, 2011
Network Resources - Network Devices and AAA Clients- File Operations - Add - gives me File Format Validation Faliled. I am carefull to leave the header as it is. The header in the Import Template looks faulty, see attached. When exporting devices I also get the same header as attached. I also tried to change the header so its all in one column, but with same result.
View 1 Replies
View Related
Sep 10, 2012
Is it possible to upgrade the CSACS-1121-UP-K9 to be a non upgrade part? We were going to upgrade from a Windows 4.x to the above Appliance (version 5.x) but there is now a reason to keep the old Windows version running therefore we cannot give the new Appliance the old ACS's licenses?!So we should have (with hindsight) bought a fresh version of the ACS 5.x rather than an upgrade.
View 1 Replies
View Related
Jun 14, 2011
Currently I'm using a self signed cert issued by ACS. We are having an issue where occasionally we see in our Windows 7 logs that Windows did not like the self signed cert from ACS when doing dot1x authentication for our Windows 7 clients. We are using the built in dot1x client that comes with Windows and have the "Validate Server Certificate" unchecked but still see this error occasionally. I've tried issuing a CSR from the ACS server and going to Thwate and getting a test cert but everytime I paste the CSR into the field at Thwate I get an error about invalid cert type. You have to choose from a list of server types. I've tried several different ones. I've also tried issuing the request from a WIndows server and when I try and import the files I get a invalid key error. How to get certificate working from Thwate or Verisign?
View 6 Replies
View Related
Mar 2, 2011
We have enabled EAP-TLS authentication for our wireless LAN end user in our network setup , And we have defined certificate on our old acs server 3.3 from a third party CA . I want to use the same certifcate which is being used in 3.3 ,how i can copy that certficate from 3.3 and get it installed on new acs 4.2 .
View 7 Replies
View Related
Mar 1, 2012
I got many certificates errors. When ISE Server tried to retrieve CRL: CRL verification failed - possibly signed by wrong or unknown CA,When client tried to connect using EAP-TLS: X509 decrypt error - certificate signature failure.
View 2 Replies
View Related
Nov 7, 2011
Been tinkering around in our ACS 5.2 appliances today to setup PEAP. I generated a self signed certificate under local certificates which I want to remove now. But when I try to delete it I get the following message:
This System Failure occurred: Certificate is associated with a protocol. Hence it cannot be deleted.. Your changes have not been save. Click OK to return to the list page.
I assume this is because it is associated with the EAP protocol, but I cannot uncheck the box when I edit the local certificate. How can I get rid of this test certificate?
View 2 Replies
View Related
Jul 11, 2011
Looking for the steps to configure wired clients using certificate authentication only
- i.e., once a certificate is presented to the ACS that is issued by a trusted CA, the connection is permitted.
No need to tell me about switch configuration.
View 3 Replies
View Related
May 23, 2011
Is there a way to authenticate a windows computer in ACS 5.2 for 802.1x only with a certificate.The Computer is from a different active directory than the one that is configured in ACS.I tried importing the cert into "external indentity Stores" > "certificate authorities", then setup the computer to use smart card or certificate, then selected the certificate from the other AD.when i look at the ACS log, here is the message i can see: 22044 Identity policy result is configured for certificate based authentication methods but received password based
View 1 Replies
View Related
Nov 9, 2012
Cisco ISE 1.1.1 is given Certificate error while trying to access any of nodes. It is started after adding other nodes in to primary node. Accessing by IP's redirect to other nodes suppose if we accessing primary admin node by IP, it redirect to other nodes (secondary nodes or other nodes).
View 3 Replies
View Related
Jan 9, 2012
We use a combination of Cisco ACS and Cisco catalyst 3560 switches for network authentication and authorization. Clients (Windows XP) have a certificate installed which will grand access to the network and put them in the correct VLAN. So far, so good. Some users are testing with Windows 7 in the same set-up as above and run into strange behaviour. The problem is that after a random timer the machine gets de-authenticated and nothing besides a reboot works to get the computer authenticated again (from a Windows point of view). It looks like this only happens to users who are using a certificate to authenticate, Windows 7 MAC bypass users have no such problems. If it occurs, the following logging appears in ACS: [code] We are using ACS 4.2(0) Build 124 and 3560-48PS switches with IOS 12.2(55).
View 4 Replies
View Related
Feb 9, 2012
i have a wireless deplyoment with WLC 5508, ACS 5.2 and several AD connected by LDAP. It is required that users are authenticated by certificates additional the user should only get access to the wireless environment when the user is found in a certain security group in the Microsoft AD forrest. The certificate based authentication is working without any problems, except the lookup into the AD isn't working. Here are the Details of the "Evaluting Identity Policy"
Evaluating Identity Policy
15004 Matched rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24031 Sending request to primary LDAP server
24016 Looking up user in LDAP Server - Alex Dersch
24008 User not found in LDAP Server
22015 Identity sequence continues to the next IDStore
24209 Looking up Host in Internal Hosts IDStore - Alex Dersch
24217 The host is not found in the internal hosts identity store.
22016 Identity sequence completed iterating the IDStores
but the user can access the WLAN just without verifying the user in the AD.
i tried the to enable Binary Comparisation but then the Authentication is not working any more. I get the same Identity Policy result as above.
i configured the Binary Comparisation as below:
I though with the binary comparisation i'll be able to verify the existance and the status of an user in the Active Directory.
View 1 Replies
View Related