Cisco ACS Local certificate

Similar Questions

• How to remove the 5.2 ACS Local certificate

  Summer tinker around in our ACS 5.2 devices today to PEAP configuration. I generated a self-signed certificate under local certificates that I want to delete now. But when I try to remove it I get the following message is displayed:

  This failure has occurred: certificate is associated with a protocol. Therefore, it can be removed... Your changes have not been save. Click OK to return to the list page.

  I guess that's because it is associated with the EAP protocol, but I can not uncheck the box when I change the local certificate. How can I get rid of this test certificate?

  You must change the other server certificate and mark it as being used for Protocol EAP

  This removes the parameter of your test certificate and can then be removed

  Not the most intuitive but works

• 5.4 double certificate option Cisco ACS

  Hello Experts

  I wonder if anyone knows if I can get two certificates on my Cisco ACS 5.4 server. The documentation says I can have it as long they have different 'from' and 'to' dates with a same name CN. However, this is a production server and wanted to if sure before I make changes. I currently have a certificate installed and everything works well but need to add a second for migration purposes.

  Hovsep Armeni
  LAN, UK

  A certificate can be linked to these two services (HTTP and EAP), however, each service can only be associated with a single certificate. Thus, for example, you cannot have two certificates that are related to the EAP process.

  Thank you for evaluating useful messages!

• Renew the certificate in Cisco ACS for PEAP authentication

  Hi, we installed in laptops wireless customer a certificate created by Cisco ACS to authenticate, but its about to expire.

  How can I do to renew the certificate whithout affecting users.

  (1) Yes, we can generate a new cert but install the latter.

  (2) install generated new cert on the client.

  (3) install the new cert in ACS.

  Good plan and will probably work.

  Kind regards

  ~ JG

  Note the useful messages

• Problem with certifcate on Cisco ACS

  We want to authenticate our internal wireless users using our Cisco ACS running 5.3.  GBA questions our Active Directory environment for the user name and password provided.  I created a CSR on GBA and it provided to Entrust.  They gave me a root certificate, string and server.  I've linked the server certificate to the CSR under System Administration > Local Server Certificates > local certificates.  I then added the chain and the root certificates to the users of the site and identity stores > autorit├⌐s.  When I try to connect to a laptop client he asks a user name and password, but after entering this information, I am presented with the warning on this certificate below.  This certificate is to Entrust and I see the certificate root in the root store on the laptop.  Any ideas what would cause this.  TAC does not seem to have all the answers.  They say it's a problem of the client machine.

  

  In case you want to check your configuration settings.

  http://www.Cisco.com/en/us/products/ps10315/products_configuration_example09186a0080bd1100.shtml

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Register with different versions of the CSA to Cisco ACS primary

  Hello, I updated a backup unit of two ACS to the 5.4.0.46.0a version first I changed it to standalone, and now I'm trying to save for the main CSA that is running the 5.1.0.44.2 version

  And I get this error

  This failure has occurred: com.cisco.nm.acs.im.certificate.Certificate; incompatible local class: stream classdesc serialVersionUID = 8507982043664257993, local class serialVersionUID = 1927357986028617243. Your changes have not been saved. Click OK to return to the list page.

  What can I do to solve it?

  Kind regards

  The primary and the secondary must be run on the same code.

  Jatin kone
  -Does the rate of useful messages-

• Cisco Security Manager integration with Cisco ACS troubleshooting

  Hi all!

  I have a problem with the integration between Cisco Security Manager and ACS. I've done the integration, but the identity of the user system doesn't have enough privileges. I know what the problem is, but I don't know how I can change the login of the ACS to the local MSC?

  I found a file that specifies the following:

  Q.

  Is there a backend script or command line interface options to change the ACS to local CicsoWorks connection module?

  A.

  To restore the server LMS ACS local user mode mode, stop the CiscoWorks

  demons and run the following script:

  NMSROOT/bin/perl ResetLoginModule.pl

  (for Solaris)

  NMSROOT\bin\perl ResetLoginModule.pl

  (for Windows)

  Then, restart the daemon.

  I did it, but does not work, any idea?

  Hello

  I guess you can try to go through the question on WSC and GBA integration troubleshooting:

  http://www.Cisco.com/en/us/docs/security/security_management/cisco_security_manager/security_manager/3.0/troubleshooting/guide/rbacts.html#wp1043629

  Few things might have gone wrong:

  1 - this command must be run on the server MCS cmd prompt (make sure that you are not on the client computer)

  2 - NMSROOT is the directory were MSC Server is installed. Is usually c:\Progra~1\CSCOpx

  3. you must stop the deamon Manager before performing this action (and restart)

  For example if the directory is the one above to reset the connection locally, you can try the following:

  net stop crmdmgtd---> that stops the daemon Manager (can be done by the services window)

  c:\Progra~1\CSCOpx\bin\perl c:\Progra~1\CSCOpx\bin\ ResetLoginModule.pl---> restores local authentication

  net start crmdmgtd---> restart the Daemon Manager

  Can you maybe try again and let me know how it goes?

  Thank you

• Problem with Cisco ACS and different areas

  Hello

  We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:

  We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.

  Then we have our Cisco switches with the following configuration,

  AAA new-model

  AAA-authentication failure message ^ CCCC

  Failled to authenticate!

  Please IT networks Contact Group for more information.

  ^ C

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local

  AAA authorization network default group Ganymede + local

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  !

  AAA - the id of the joint session

  But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.

  There may be something wrong with the ACS?

  Thank you

  Jorge

  Try increasing the timeout on IOS device using radius-server timeout 10.

  Do we not have journaling enabled on the ACS server remotely?

  -Philou

• ISE Local certificate and the certificates in the certificate store

  Hello

  I'm pretty new to ISE and read the document in the link below to create understanding "Local certificates" and "certificate store certificates. It seems that in the former certificate is used to identify the EHT on customers and is later used to identify customers at the ISE.

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-2/installation_guide...

  Now, what part of the ISE configuration told him to check the certificate sent by the client in its certificate store? I am somehow the mixture up with "Certificate authentication Profile", which is used in the identity Source sequence. But I guess that the certificate authentication profile is used to verify the certificates from a source of external identity as AD or LDAP. So where do we consider 'certificate certificate store' in our configuration of ISE.

  Thanks in advance for help out me.

  Kind regards

  Quesnel

  Hi Quesnel-

  (ISE) server certificate can be used for are:

  1 HTTP/HTTPs - is for the ISE web server that is used to host various portals (comments, Sponsor, BYOYD, my devices, etc.). This certificate is normally issued by a public CA such as VeriSign or GoDaddy. A public certification authority is not necessary, but outside your environment, customers who do not trust the certification authority that issued the certificate will get an error HTTPs warning to users that the certificate could not be verified.

  2 EAP - this is for EAP based authentication (EAP - TLS, EAP-PEAP, EAP-PEAP-TLS, etc.). This certificate is usually issued by an internal CA. The same certification authority issues usually user and/or computer-based certificates that can be used for the authentication type EAP - TLS.

  The certificate store is used to store root certificates and intermediate certificate authorities you ISE to trust. By example, if a computer is running a machine ISE authentication must trust the certification authority who has signed/issued the machine certificate. Therefore, the machine will also have to trust the certification authority which has issued/signed the ISE server certificate that you torque to the EAP process.

  Profile of teh authentication certificate is required if you want to use certificate based authentication. The CAPE tells ISE which attribute of the certificate should be used for the usernmane. Then based on that you can create more specific authorization profiles/rules information. You can also configure CAP to make a comparison of binary certificate with AD and confirm wheather or not the certificate is/has been published to AD.

  I hope this helps!

  Thank you for evaluating useful messages!

• Cisco ACS 5.4 and VPN 3000

  Hello

  I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.

  I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.

  Any help would be much appreciated.

  Concerning

  AR

  Hey,.

  What is the report on GBA?

  "RAIDUS AAuth in green"

  If so, a pcap help between the two.

  Concerning

  Ed

• Client VPN Cisco router Cisco, MSW CA + certificates

  Dear Sirs,
  Let me approach you on the following problem.

  I wanted to use a secure between the Cisco VPN client connection
  (Windows XP) and Cisco 2821 with certificate-based authentication.
  I used the Microsoft certification authority (Windows 2003 server).
  Cisco VPN client used eTokenPRO Aladdin as a certificate store.

  Certificate of MSW CA registration and implementation in eToken ran OK
  Customer VPN Cisco doesn't have a problem with the cooperation of eToken.
  Certificate of registration of Cisco2821 MSW ca ran okay too.

  Cisco 2821 configuration is standard. IOS version 12.4 (6).

  Attempt to connect to the client VPN Cisco on Cisco 2821 was
  last update of the error messages:

  ISAKMP: (1020): cannot get router cert or routerdoes do not have a cert: had to find DN!
  ISAKMP: (1020): ITS been RSA signature authentication more XAUTH using id ID_FQDN type
  ISAKMP (1020): payload ID
  next payload: 6
  type: 2
  FULL domain name: cisco - ca.firm.com
  Protocol: 17
  Port: 500
  Length: 25
  ISAKMP: (1020): the total payload length: 25
  ISAKMP (1020): no cert string to send to peers
  ISAKMP (1020): peer not specified not issuing and none found appropriate profile
  ISAKMP (1020): Action of WSF returned the error: 2
  ISAKMP: (1020): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
  ISAKMP: (1020): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

  Is there some refence where is possible to find some information on
  This problem? There is someone who knows how to understand these mistakes?
  Thank you very much for your help.

  Best regards
  P.Sonenberk

  PS Some useful information for people who are interested in the above problem.

  Address IP of Cisco 2821 10.1.1.220, client VPN IP address is 10.1.1.133.
  MSW's IP 10.1.1.50.
  Important parts of the Cisco 2821 configuration:

  !
  cisco-ca hostname
  !
  ................
  AAA new-model
  !
  AAA authentication login default local
  AAA authentication login sdm_vpn_xauth_ml_1 local
  AAA authorization exec default local
  AAA authorization sdm_vpn_group_ml_1 LAN
  !
  ...............
  IP domain name firm.com
  host IP company-cu 10.1.1.50
  host to IP cisco-vpn1 10.1.1.133
  name of the IP-server 10.1.1.33
  !
  Authenticated MultiLink bundle-name Panel
  !
  Crypto pki trustpoint TP-self-signed-4097309259
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 4097309259
  revocation checking no
  rsakeypair TP-self-signed-4097309259
  !
  Crypto pki trustpoint company-cu
  registration mode ra
  Enrollment url http://10.1.1.50:80/certsrv/mscep/mscep.dll
  use of ike
  Serial number no
  IP address no
  password 7 005C31272503535729701A1B5E40523647
  revocation checking no
  !
  TP-self-signed-4097309259 crypto pki certificate chain
  certificate self-signed 01
  30820249 308201B 2 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
  .............
  FEDDCCEA 8FD14836 24CDD736 34
  quit smoking
  company-cu pki encryption certificate chain
  certificate 1150A66F000100000013
  30820509 308203F1 A0030201 02020 HAS 11 092A 8648 01000000 13300 06 50A66F00
  ...............
  9E417C44 2062BFD5 F4FB9C0B AA
  quit smoking
  certificate ca 51BAC7C822D1F6A3469D1ADC32D0EB8C
  30820489 30820371 A0030201 BAC7C822 02021051 D1F6A346 9D1ADC32 D0EB8C30
  ...............
  C379F382 36E0A54E 0A6278A7 46
  quit smoking
  !
  ...................
  crypto ISAKMP policy 30
  BA 3des
  md5 hash
  authentication rsa-BA
  Group 2
  ISAKMP crypto identity hostname
  !
  Configuration group customer isakmp crypto Group159
  key Key159Key
  pool SDM_POOL_1
  ACL 100
  !
  the crypto isakmp client configuration group them
  domain firm.com
  pool SDM_POOL_1
  ACL 100
  !
  Crypto ipsec transform-set esp-3des esp-md5-hmac 3DES-MD5
  !
  crypto dynamic-map SDM_DYNMAP_1 1
  the transform-set 3DES-MD5 value
  market arriere-route
  !
  card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
  map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
  client configuration address map SDM_CMAP_1 crypto answer
  map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
  !
  ................
  !
  end

  status company-cu of Cisco-ca #show cryptographic pki trustpoints
  Trustpoint company-cu:
  Issuing CA certificate configured:
  Name of the object:
  CN = firm-cu, dc = company, dc = local
  Fingerprint MD5: 5026582F 8CF455F8 56151047 2FFAC0D6
  Fingerprint SHA1: 47B 74974 7C85EA48 760516DE AAC84C5D 4427E829
  Universal router configured certificate:
  Name of the object:
  host name = cisco - ca.firm.com
  Fingerprint MD5: E78702ED 47D5D36F B732CC4C BA97A4ED
  Fingerprint SHA1: 78DEAE7E ACC12F15 1DFB4EB8 7FC DC6F3B7E 00138
  State:
  Generated keys... Yes (general purpose, not exportable)
  Authenticated issuing certification authority... Yes
  Request certificate (s)... Yes

  Cisco-ca #sh crypto pubkey-door-key rsa
  Code: M - configured manually, C - excerpt from certificate

  Name of code use IP-address/VRF Keyring
  C Signature name of X.500 DN default:
  CN = firm-cu
  DC = company
  DC = local

  C signature by default cisco-vpn1

  IMPORTANT: I don't have a Cisco IOS Software: 12.4 (5), 12.3 (11) T08, 12.4 (4.7) PI03c,.
  12.4 (4.7) T - there is error in the cryptographic module.

  Hey guys, it's weird that the router is not find cert after IKE is the cert and validates, it is certainly not reason, but I would go ahead and set up the mapping of certificate on this router to force the client to associate with Group of IKE, for that matter, that you need to change your config a bit for use iskamp profiles :

  http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t8/feature/guide/gt_isakp.html

• Cisco ACS, multiple CA, assignment of VLAN relevant to the domain

  Hi all

  I searched for a solution to a specific customer requirement.

  I want authenticate users with certificates from different RootCA wireless and assign them to one VLAN based on their field?  Ideally, using the same SSID and a Cisco ACS server.

  Is this possible?  Has anyone seen that it works?

  I realize that the ACS can have trust company for the relevant RootCA (dunno what version is needed for this?).  And that assignment VLAN is also possible to a unique SSID based on RADIUS attributes.  But I am not sure that these parts would fit together?

  Would appreciate some advice!

  Thanks in advance

  Rob

  Hello

  Yes, this is possible. I suggest that you implement one by one to make sure that everything works, but no problem to do so. All recent versions of ACS allow this.

  You can do mapping group from ad groups (a group for each area, so if you want to) and assign the vlan based on the mapping of this group.

  GBA can trust several certification authorities and authenticate users with certificates of all these cases. It's just a matter of import these number certificate in the trust list.

  And you can assign the vlan and use only one ssid as well.

  I can't guide you on the procedure that it depends on which version you have and if you have IOS ap or WLC, but it is basically each function separated as in the config Guide and just used all together.

  Nicolas

  ===

  Remember responses of the rate that you find useful

• Cisco ACS 5.4 repositories

  Hello world!

  I would like to know the possibility of FAC functions. As you can see on newspapers, I have 2 deposits:

  (1) local db (I maen on cisco acs)

  (2) ftp server

  I would like to copy from local database to the ftp server, and then delete all local db. If it is possible how can I do?

  Incremental backup restore

  Backups available to restore

  Backups available to restore the Date Type of repository name

  acsviewdbfull_xxx-acs-xxx-1_20121205_143351 05/12/2012 LogBackUp Full

  acsviewdbfull_xxx-acs-xxx-1_20121231_020000 31/12/2012 LogBackUp Full

  acsviewdbfull_xxx-acs-xxx-1_20140128_100837 28/01/2014, full xxx-acs-xxx-1-2-backup

  You can copy a file to local repository to a remote ftp server using the command copy.

  ACS54 / admin # copy disk: / / "> ftp: / / .

  Prompt for user name and password will follow.

  Then delete the files on local repository respectively using the command delete.

  ACS54 / admin # remove disk: / /.

• Cisco ACS AD authentication

  Hello!

  IM currently deploying Cisco ACS 5.4 on our netwrok and I'm looking for in some additional measures to ensure authentication and authorization to the devices.

  I would like to ask if anyone has any advice on the following as I may have been embarrassed to do this way myself.

  OK the users that now are authenticated with an external identity store (Active Directory). I would like to know if theres a way also to authenticate these users or allow them to ACS so that when the IT Department adds a user who should not be in a group, but the group is authenticated to a set of devices, this user will be nto be able to access devices.

  A simpler explanation is as follows.

  E.t.c groups are ficitonal

  I have group in AD called "Engineers" that contains 2 users, user A and user B.

  Engineers have a shell on ACS profile that gives permissions/privileges superuser on the devices.

  However, Active Directory is managed by the it Department that could be social designed to add a C user in this group.

  What I need to know is a way to allow the user has and user B to access devices while maintaining the profile of the shell with the Group of ads "engineers."

  I am aware of the conditions is devoted to profiles/authorization rules. Is that mean I have to create both local users and assign their passwords as well?

  Im a bit confused as you can see it...

  Any help will be greatly appreciated!

  Thank you!

  Because user C would be added to the same group that already contains users A and B and the authorization rule is configured to grant access from root of users A and B belonging group engineering, then user C will also be granted this access.

  ACS has no way to know what the users are members of the engineering group, nor can it detect that the user C has been successfully added.

  If you want to use the credentials of the AD and at the same time maintain a canonical list of users for ACS check, you will need to create local GBA users, as you suggested above.

• [Cisco ACS 5.2] EAP - TLS authentication failure

  What we are e

  Hello

  I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.

  It works well!

  Now, I configured Windows 8 with the same configuration.

  First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate

  In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...

  Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".

  I found this bug

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary

  It seems to be my problem but the reboot does not work in my case...

  It is set at 5.3 (0.40.2).

  I plan to install version 5.4.

  Do you know if this fix is supported by 5.4?

  Thanks for your help,

  Patrick

  Hi Patrick,

  What is set in point 5.3 must be set in point 5.4.

  Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".