ACS 4.0 EAP - TLS Cert does not

Similar Questions

• [Cisco ACS 5.2] EAP - TLS authentication failure

  What we are e

  Hello

  I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.

  It works well!

  Now, I configured Windows 8 with the same configuration.

  First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate

  In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...

  Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".

  I found this bug

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary

  It seems to be my problem but the reboot does not work in my case...

  It is set at 5.3 (0.40.2).

  I plan to install version 5.4.

  Do you know if this fix is supported by 5.4?

  Thanks for your help,

  Patrick

  Hi Patrick,

  What is set in point 5.3 must be set in point 5.4.

  Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• ACS 5.4 EAP - TLS: the system of null or invalid message met CSCOacs_Internal_Operations_Diagnostics 31201

  Hi all

  I am trying to configure wireless with 802.1 x, authetication in the EAP - TLS computer with digital certificates, but it does not work.

  It runs on ACS 4.2.

  The message is ACS CA is not known, but it is configured correctlry.

  I have a "Wireless" accesses with identity store AD1 policy. I also tried to set up CN, SAN and a lot of identity store sequences, same results.

  At the time of authentication, I also see this log message:

  System encountered null or invalid message

  CSCOacs_Internal_Operations_Diagnostics

  31201

  I could be associated to?

  Can someone help me?

  THX,

  Andrea

  I see the certificates installed have been already expired.

  Regarding your second question, where do you see a mistake. I suspect a defect.

  CSCtw48906    Error due to an empty message (vector buffer), sent to the enforcement process

  Symptom: An Error Message is seen inlogs: message of the ERROR encountered CSCOacs_Internal_Operations_Diagnostics 31201 null or invalid system

  Conditions: ACS 5.2

  Solution: The issue is cosmetic. This message can be ignored.

  Under the guidance of the Director, this occors error when a message empty (vector buffer) that was sent to the runtime on the message Bus and it seems to be "cosmetic" question

  In default, debugging is attached. If you wish, you can activate the debbuging level performance logs and match symptoms.

  Here are the steps to generate support bundle.

  ACS / admin # acs - config

  Escape character is CNTL/D.

  Username: acsadmin

  Password:

  ACS/admin(config-ACS) #.

  Set logging for debug mode.

  ACS/admin(config-ACS) # debug level to debug-log duration

  ACS/admin(config-acs) #exit

  Collect the beam of support after reproducing the problem.

  Jatin kone

  -Does the rate of useful messages-

• ACS 5.1 - command line filters does not not in Config Mode

  Hello

  I am trying to set up filters to deny command line sniffer commands being entered. I have set up a command set and applied to an authorization policy. The command filter works great for commands in privileged mode. However, the filter does not work for any order that is entered in configuration mode.

  I have a set of commands that will deny for a test installation:

  display the clock

  terminal length

  display monitor

  duration of the distance

  the monitor session

  The first three commands are entered from the initial mode of privilege and they are omitted by the AEC. The last two commands can be entered in config mode and the ACS does not stop their entry.

  I have attached two screenshots that show configuration commands on GBA game and a Terminal session which commands are filtered and which are rented by the intermediary.

  Has anyone encountered this problem? Is there something else I should be adding to the command Set? Is this a bug?

  There is a bug on the Cisco site that relates to the command filters:

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf08567

  I don't know if this bug applies to this question because there is so little information on this subject. In addition, if it does not I don't understand workaround to apply it to this situation.

  Any advice would be greatly appreciated. -(ACS Version 5.1.0.44.2)

  Dave was soon

  You have authorization for the configuration on the router mode?

  If this isn't the case, add:

  AAA authorization config-commands

• New windows basic button Submit Acs - 4.2.1.15.3 does not appear

  Configuration of the interface > Ganymede + submit button page displays cannot display the error page I'm not able to submit

  Someone has an idea that it is after the upgrade to Acs - 4.2.1.15.3. I tried with almost all the browsers and the different java version. Also tried to install it on different computers but the same problem. Please refer to the screenshot

  Manish,

  What is the current version of java you are using, make sure that it is more later and also use the java tester to find your current version. Also add the site of GBA for trust on the browser sites

• ACS 5.1 user password expire does not work

  Hi, I set up under policies of Administration password on the password length, the elements being rolled as number, letters and so on.

  on the second tab is the password expire for users, and I configured to expire after 90 days.

  I even tried to create a new user and change a password for a user existing Apache TOMCAT WAR

  I checked the GBA unit's CLOCK and NTP high on our internal NTP servers

  Likewise, I create a new user or change the password of Admin user interface, or I change the password for the user via Apache TOMCAT WAR, I the user being disabled in a few minutes, half an hour.

  Last, with CISCO AnyConnect is possible to warn the user about the password is expireing and if yes, change could be led through AnyConnect or that it is absolutely necessary a hand of the user task on the portal from Apache TOMCAT upward with the application of GBA WAR?

  Last last, I can't disable the logon on the ASA 5510 8.3 IOS AVOIDING user to connect through the AnyConnect application download (on the portal of the ASA)?. This is to avoid people to connect from Internet Cafe' and other facilities puglic not having the AnyConnect application installed from a USB device or local DISK?

  I think you hit a known issue with ACS 5.1:

  CSCtf06311: all internal users automatically disabled after you be connected to a single user

  This is fixed in a hotfix for ACS 5.1.  Hotfix Rollup 5.1.0.44.3 which can be downloaded from CCO

  If you decide to download a version of patch, it may be useful to take the latest cumulative hotfix for ACS 5.1: 5.1.0.44.6

• ESXi Syslog over TLS/SSL does not

  Hello

  I configured Log Insight (3.0) with 1 vCenter (5.5U2b) and 2 guests ESXi (5.5U2). Everything is on the same subnet.

  When I set them up with the Syslog on SSL in Insight Journal, nothing is sent. However, if I change to TCP, I start to receive data.

  What could be the problem?

  Yes, you can simply copy and paste the certificate into /etc/vmware/ssl/castore.pem PEM format. If you have several, you can concatenate the. You can

  It will not work with your current version, if. Log Insight 3.0 doesn't support SSLv3 (to stop the attack POODLE vector), but 5.5U2b ESXi predates this and requires SSLv3. You will need decommissioning at Log Insight 2.5 - or - apply a patch of ESXi. See KB 2135410 and 2135795.

  Suite is on ESXi build 3247226:

  OpenSSL s_client-connect loginsight.local:1514 < ev/null="" |="" openssl="" x509="" -outform="" pem=""> > /etc/vmware/ssl/castore.pem

  head /etc/vmware/ssl/castore.pem n 2

  -BEGIN CERTIFICATE-

  MIIFwTCCA6mgAwIBAgIEZp + XkzANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMC

  esxcli system syslog configuration defined - loghost = "ssl://loginsight.local:1514."

  esxcli system syslog reload

  esxcli system syslog mark s "test message from 3247226 via the Protocol ssl 3.0 LI."

  ip to the esxcli network connection list | grep 1514

  TCP 0 0 esxihost:23351 loginsight.local:1514 ESTABLISHED 35915 newreno vmsyslogd

  And the message is received by the Insight journal.

• Personal certificate said sucessfully restored after importation, but does not appear on the list of certificates.

  Mac OSx 10.8.2
  Firefox 18.0
  Firefox-> Prefrences-> advanced-> encryption-> Certificates-> import
  Select the cert, enter the password, and then I get this message: successfully restored your security certificates and the private key.
  However the cert does not appear on my list of certs, and I can't access the site requiring this cert.

  CERT has worked in 17 combined with OS 10.7.X worm
  CERT works on my win box 7 with firefox 17.0.1

  Try renaming the file cert8.db in the Firefox profile folder in cert8.db.old or remove the cert8.db file to remove the intermediate certificates that Firefox has stored.

  If it helped to solve the problem, then you can delete the renamed file cert8.db.old.
  
  Otherwise you can rename (or copy) the file cert8.db.old to cert8.db to restore previous intermediary certificates.
  
  Firefox automatically records the intermediate certificates when you visit Web sites that send such a certificate.

  If that didn't help then remove or rename secmod.db (secmod.db.old) as well.

• Install certificates for EAP - TLS does ACS does not work

  Hi all

  I have two problems.

  I produced a CSR ACS and sent my people to windows this and they published my ACS with a certificate. Cool.

  I'm going to download the GBA and I put a 'private key file?

  What is this file? and where can I get a? What is this long string of characters that generate the CSR, I sent the boys of windows?

  Also, I managed to just put any old rubbish in there? and I was surprised he accepted.

  Restarted the service IS and I tried to turn it on eap - tls on the "Overall Authentication Configuration" page to get only the message

  Could not initialize authentication PEAP or EAP - TLS because that Protocol

  certificate is not installed. Install CA using "ACS."

  «Configuration of CA page»»

  Now, I'm a little confused, because if have the installer GBA incorrectly, because of my lack of understanding of what this private key file and how it relates to all which?

  Thx a lot indeed.

  Ken

  I'm having the same problem. It seems the guys from windows to generate a cert that it must be exportable, which offers also private key file. I tried the following without success document. It can work for you, however, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml

  I also tried to have the ACS to generate a certificate self-signed, that works. But on the client, you must uncheck the box validate the server certificate because GBA is not a trusted certificate servers. Right now I'm trying to understand how ad to publish the ACS as a trusted cert server so windows knows to do trust the cert of the ACS. Through all this, I found that you can configure in several ways, the most difficult part is to find a way that works for you.

• Cisco ACS with external DB - EAP - TLS

  Hi guys,.

  I understand how the EAP - TLS exchange works (I think), but if I have a client (with or without wire) that uses EAP - TLS with a CBS, I confirm the following.

  Let both users and computer certificates are used:

  1. customer and ACS are with each of the other automatic certificates to ensure they are known to each other. The eap - tls Exchange.

  2A. At any given time and I'm assuming until the successful eap - tls message is sent to the client, the ACS to check if the user name or computer name is in the AD database?

  2B. Wot is the parameter that is checked on the AD database?

  I read here that it can be: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517

  Client certificates

  The client certificates are used to identify with certainty the user in EAP - TLS. They have no role in the construction of the TLS tunnel and are not used for encryption. A positive identification is made by one of three ways:

  CN (or name) comparison-compare CN in the certificate with the user name in the database. More information on this type of comparison is included in the description of the subject field of the certificate.

  Comparison of SAN-compare the San in the certificate with the user name in the database. It is only supported from the ACS 3.2. More information on this type of comparison is included in the description of the field another name of the subject of the certificate.

  Binary comparison - compare the certificate with a binary copy of the certificate stored in the database (only AD and LDAP for that). If you use the binary comparison of certificate, you must store the user certificate in a binary format. Also, for the generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".

  3. with the foregoing, if options 1 or 2 are used (CN or SAN comparison), I guess it's just a check between a value out the CERT of the ACS and checked with AD, is that correct? With option 3, GBA exercise a complete comparison of the certificate between what the client and a "cert stored client" on the AD DB?

  Please can someone help me with these points.

  I'm so lost in this kind of things :)) I think.

  Thx a lot and best regards,

  Ken

  TLS only * handle * is complete/successful, but because the user authentication fails.

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 client SSL read Exchange of keys A

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 read Certificate SSL check

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: SSL = SSLv3 read state completed A

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 write change cipher spec A SSL

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: SSL = SSLv3 write finished State has

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 data embedded SSL

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State SSL = SSL handshake completed successfully

  EAP: EAP - TLS: handshake succeeded

  EAP: EAP - TLS: authenticated handshake

  EAP: EAP - TLS: CN using the certificate as an authentication identity

  EAP: State EAP: action = authenticate, username = 'Jousset', the user identity is "jousset.

  pvAuthenticateUser: authenticate "jousset" against CSDB

  pvCopySession: assignment session group ID 0.

  pvCheckUnknownUserPolicy: Group of session ID is 0, the call pvAuthenticateUser.

  pvAuthenticateUser: authenticate "jousset' against the Windows database

  External DB [NTAuthenDLL.dll]: Cache of Creating Domain

  External DB [NTAuthenDLL.dll]: Domain for loading Cache

  External DB [NTAuthenDLL.dll]: no UPN Suffixes found

  External DB [NTAuthenDLL.dll]: could not get the domain controller for dwacs.com trust, [error = 1355]

  External DB [NTAuthenDLL.dll]: could not get the domain controller for enigma.com trust, [error = 1355]

  External DB [NTAuthenDLL.dll]: could not get the domain controller for acsteam.com trust, [error = 1355]

  External DB [NTAuthenDLL.dll]: could not get the domain controller for vikram.com trust, [error = 1355]

  External DB [NTAuthenDLL.dll]: domain loaded cache

  External DB [NTAuthenDLL.dll]: could not find the user jousset [0 x 00005012]

  External DB [NTAuthenDLL.dll]: user Jousset is not found

  pvCheckUnknownUserPolicy: assignment session group ID 0.

  Unknown user "jousset" was not authenticated

  If EAP-failure (RADIUS Access-Reject (is sent, no EAP-Success(Radius Access-Accept).))

  And no matter how port will not be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.

  HTH

  Kind regards

  Prem

• Machine based authentication using EAP - TLS, MS CA and 5.2 of the ACS

  I use ACS 4.2 for Windows for a couple of years now and I'm pretty comfortable with it.  5.2 model is much more different than what I expected.  We downloaded the trial in our laboratory for 90 days, and I try to get 802. 1 x wired works so we can be sure that we want to buy it.  I've looked everywhere and I have been unable to find some basic instructions on how to configure the following in a step by step process scenario:

  1. integrated AD

  2 EAP - TLS

  3 certificates

  4 Microsoft CA

  5. the applicant is XP SP 3

  6 non-Cisco 802.1 x compatible switches (switches are not the question)

  I got GANYMEDE to work fairly easily, but I am confident the issues I have are user based :).  Does anyone know of a doc somewhere that goes on a scenario like this (in addition to the user manual and docs of migration ISBN)?  Also, we have the assurance of software on our box 4.2 - TAC support questions we have on the 5.2 box while we are it do demonstrations?

  Thanks in advance.

  Hello, Christopher.

  I'll try to give you some tips to achieve what you want.

  Additional info can be found in the user guide:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

  1. in the identity store / Active directory, check "enable machine authentication.

  2 import a certificate for ACS

  Go to System Administration > Configuration > Local Server Certificates > Local certificates and click the Add button.

  Select how you want to import the certificate, and then verify the Protocol EAP

  3. Add your switches as aaa clients

  Access network resources > network hardware and the AAA Clients, click on create and add configure address IP + shared secret for the RADIUS.

  4-go to access policies > Access Services and click on create a new access service.

  Select the selected Type of Service and network access in the list.

  Verify the identity, group mapping and authorization

  5 - go to the access policies > rules of selection and select "Rule based selection result" if not already done, then click Customize at the bottom right of the screen, and then add the properties that allows you to match your device with which you want to do TLS.

  You can use the IP address of devices, or you can create a NDG (in network resources), assign devices to the NDG and match this NDG in your rule.

  If all your switches RADIUS will make eap - tls, you can change the rule

  Rule-1

  Ray game

  Default network access

  While in the result, you choose your service of access created in step 3.

  6 - go to the access policies and click on the access service that you created in step 3. In the allowed Protocols tab, see EAP - TLS

  7. unfold your access service menu, and then click identity. Select your ad as being the source of the identity

  8. check that the 'Allowed access' rule is selected in the authorization to access your service

  These measures define your devices, and then create a rule to say that ACS must use an individual service for this access devices and set this access service to use AD as authentication.

  Again, what are the basic steps, he may miss some things to do depending on your configuration, but I hope this will help you.

  ACS 5 may be difficult at first, but once you get your hands on it, you will see that it is powerful.

• Authorization of EAP - TLS machine uses ACS 5.2

  Hi all

  I've been struggling with this during a few days now and I think there must be something I'm not quite understand.

  We strive to deploy new wireless infrastructure using windows, APs from Motorola (with switches RFS) wireless clients and using a Cisco ACS as Radius Server 5.2.

  Trying to get EAP - TLS to work, I can get customers to connect if no actual authorization is used, but when I try to validate if the name of the computer in the client certificate belongs to a particular group, the authorization fails.  I don't see how to get the ACS to use the RADIUS "Username" it receives via the certificate allowing the machine.  The value of the Radius user name attribute is the name of the machine.  I would like the ACS to check to determine if this computer name belongs to a group, especially in the Windows AD.

  We started with PEAP-MSCHAPv2, but security wanted machine authorization so we thought that EAP - TLS was the only way to get it.  Now I'm not sure.

  I would like if someone can guide me in obtaining the ACS to validate if the computer belongs to a group in Active Directory using

  (1) EAP - TLS

  (2) PEAP-MSCHAPv2

  Thank you!

  Hello.

  Just check something here:

  You have in your policy, in terms of identity, AD1 (or certain Sequences of identity store with inside AD1) listed as Source of identity?

• 4.2 of the ACS and EAP - TLS with AD and prefix problem

  Hello

  We have the following situation:

  -2 X ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain

  -2 x ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain b.

  First of all, there is a problem to have an ACS SE and a CBS work together for an area, I do not? When we haven't had that one area and the two SE ACS were responsible for domain A, it worked.

  Now after the changes, authentication of machine with EAP - TLS is no longer in effect. In the newspapers, it always says that "external user DB is unknown" for a username (machine) as host/abc.domain.ch

  This is the normal output of the Remote Agent, he finds the host but then nothing happens:

  CSWinAgent 2009-11-30 16:32:13 0140 3672 0x0 customer who connects from x.x.x.x:2443
  CSWinAgent 2009-11-30 16:32:14 0507 3512 0x0 CPP: NT_DSAuthoriseUser received
  CSWinAgent 2009-11-30 16:32:14 0474 3512 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 16:32:14 0549 3512 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 16:32:14 0646 NTLIB 3512 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 16:32:14 0735 3512 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 16:32:14 2355 3512 0x0 NTLIB: user "host/abc.domain.ch" found [FIELD]
  CSWinAgent 2009-11-30 16:32:14 0584 0 x 3512 0 RPC: NT_DSAuthoriseUser response sent

  So I did a test of the ASA to see if the host is a problem (until changes have been made it was not a problem):

  AAA authentication RADIUS host 10.3.1.9 username host/abc.domain.ch to test (the ASA becomes the host / entry for the correct Windows scheme with the $):

  CSWinAgent 2009-11-30 15:39:23 0140 3672 0x0 customer who connects from x.x.x.x:1509
  CSWinAgent 2009-11-30 15:39:23 0390 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 2009-11-30 15:39:23 0474 3728 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 0646 NTLIB 3728 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 15:39:23 0735 3728 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0373 3728 0x0 NTLIB: retry authentication to the domain
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0456 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser response sent

  It is clear that the test failed because of the bad 'past to a computer' but it's a different output as before. I saw that in ACS 4.1, you can change the prefix of send_break_action for nothing, but in 4.2 it is no longer possible.

  This could be the problem, or if someone sees no other problem?

  Best regards

  Dominic

  Hello

  I encounter the same problem with my acs. I have all of the attempts failed for the default group. For the default group made configuration is not available. Is - this thereason behind all this?

• 802. 1 x EAP - TLS for wired users with ACS 5.5

  Hi all

  We are setting up a new configuration for wired users authentication with 802.1 x (EAP - TLS). ACS 5.5 we use as an authentication server.

  We have added the certificate (internal) CA root and certifcate for ACS signed by CA. Now, we want to check that authentication works or not. I hope that the CA root and identity certifcate also we need to install in laptop computers. But I don't know how to download the certifcates for client machine manually to CA.

  Please suggest on how to get certificates for clients both manually and automatically?

  Thank you

  Vijay

  Hi Vijay,

  for Wired 802.1 x (EAP - TLS) you must have the following certificates:

  Intermediate server on ACS - Root CA, CA certificate,

  The customer - Root CA, intermediate CA, user certificate (in the case of user authentication) or Machine certificae (in the case of authentication of the computer)

  I do not know what third-party certificate you use, if its Microsoft in the House or any other certificate server, you need to download the client certificate to the server itself.

  In the case of Microsoft, there will be a user certificate template. You can select and create user certificate

  This is an old document, but a computer certificate for the user configuration steps, you can see the steps to download the certificate user if his server from Microsoft:

  http://www.Cisco.com/c/en/us/support/docs/security/secure-access-control...

  In case you use the third serevr certificate, then you must check with them on how to download the certificate of the user

  See you soon

  Mohammed (rate useful message)

• ACS 5.5 with EAP - TLS SHA 256 certificates

  Hi all

  Well, I just want to confirm that ACS 5.5 supports EAP - TLS with certificates SHA2.

  Thank you

  Manel

  Manel salvation,

  There was a time long deposited back enhancement to support EAP - TLS SHA 256 and obtained certificates fixed ACS 5.2 leave.

  CSCtd34175    Support for SHA2 certificates

  To answer your question, ACS 5.5 does support SHA2 certificates with eap - tls.

  ~ BR

  Jatin kone

  * Does the rate of useful messages *.