Renew the certificate in Cisco ACS for PEAP authentication
Hi, we installed in laptops wireless customer a certificate created by Cisco ACS to authenticate, but its about to expire.
How can I do to renew the certificate whithout affecting users.
(1) Yes, we can generate a new cert but install the latter.
(2) install generated new cert on the client.
(3) install the new cert in ACS.
Good plan and will probably work.
Kind regards
~ JG
Note the useful messages
Tags: Cisco Security
Similar Questions
-
Error when trying to renew the certificate created by Adobe Reader
A digital signature (certificate of basic Windows) was of has now expired. It has been used successfully for several years.
The user can no longer use this signature to sign Digital Signature on Documents Adobe PDF fields.
It is the first time that we are trying to renew this certificate. Before, we used to create a new certificate.
When trying to renew the certificate using the Certificate MMC snap-in (Certificate Manager), we get the following error:
"request contains no certificate template information.
Any help to activate the use of the Digital Signature certificate renewal will be greatly appreciated?
Tarek
Hi Tarek,
There are a number of things at play here. First to the top, we will place terminology. What you ask the subject isn't a digital signature, but rather a digital ID. Think of this as similar to the world where the digital ID is equivalent to a pen and paper is used to create the digital signature, just like the feather is used to create the wet ink signature.
What you need to do is called a key roll on, where you give up the public key to prolong his life. The big question is how can you resign from the public key, and the answer is that you need the original certificate signature request (CSR in geek speak). Of course you don't have the CSR because you don't get one when you use Acrobat/Reader to generate a self-signed digital ID. Probably, this raises the question, what is a self-signed digital ID? A start of the process of generation and build a digital ID initially generate you the key private and public key. However, there is a bit of textual information that is also packed with the public key, such as your name, address (postal or e-mail). The public key and text information is packaged in the CSR, so you have the private key and CSR sitting there separately. The next step is to send the CSR to the issuer and to sign with his private key. At this point the issuer name, validity period, serial number and other information are package upward in the public key certificate file, which, incidentally, also contains the signature itself. Now you've got a signed with the corresponding private key, public key certificate sitting on your computer. If you take the two pieces and combine in a single file, you end up with a digital ID.
The thing is, when Acrobat/Reader generates a digital ID, it uses the private key to sign the CSR, so the digital ID that has ensued is known as "Self-signed" in the part of the public key of the file certificate has been signed by its own private key rather than be signed by a CA issuing. CSR is removed during this operation and you done with just a digital ID in self with a life expectancy of 5 years. The whole process is made as simple as possible for the end user, this is why there is no CSR that flying over so that they treat.
All that being said, your only option is to use Acrobat or Reader to create a new self-signed digital ID and start using that replaces the expired. You try to use Microsoft CAPI (Cryptographic Application Program Interface) to send the CSR to a CA to have them sign the CSR and return a signed public key certificate file, but I'm sure you guessed now, you do not the CSR to be sent, so MS-CAPI returns the error message you posted in red font. He can't really say that, but that's what it means.
I hope this helps.
Steve
-
Renew the certificate of identity on Cisco ASA 5505, do I have to renew all user certificates?
n00b questions.
I have to renew my SSL certificate of identity soon on my Cisco ASA 5505. I'll have to renew all my certificates for client on their devices, so they can establish a vpn tunnel?
Hi dsartoros,
If you encounter a self signed (generated locally) identity certificate renewed, then you will need to download this certificate on the clients so that they can connect without getting "untrusted server certificate error".
If you renew a certificate issued by a 3rd party CA (sending of CSR to CA) and certificate, then you will not need to make any changes on the client as they already trust the certification authority that issues the certificate first root.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Not use 5.4 ACS for TLS authentication with a certificate not in the string
Hi all
I have installed ACS 5.4 and several wireless environments.
EAP - TLS is used to authenticate users of our area (of self-signed cetificates)
Then use PEAP and need for a real external cert... (Signed by Terena)
The problem is that I can use a single certificate for authentication EAP on ACS, and I need them both to work.
I see only 2 options:
1 configure the TLS network to authenticate without going through the ACS cert in the string (use the real one)
2. set up somehow to use two certificates, one for each service.
Please help, im desperate.
Thank you!
Naor
You can't have several certificates of server/identity on ACS for EAP flavours. As a best practice, get the third-party certificate and check to associate the certificate with the EAP protocols that use SSL/TLS tunneling: EAP - TLS, PEAP and EAP-FAST.
~ BR
Jatin kone* Does the rate of useful messages *.
-
Selection rule for the 5.2 Cisco ACS Service
Hello dear,
I'm trying to configure the Cisco ACS 5.2 to Dot1x of authentication for clients on windows 7 & windows XP, I did all the steps but I could not create Service rule, it gives me an error message that you can see in the attached screenshot.
After that I specify the allowed protocols it gives me the choice to choose the choice of identity and the is ' t it give me this error.
your help is very appreciated.
Kind regards
Ibrahim
Try another browser like Hussam suggested and let us know the results.
I updated FireFox to 15.0.1 and now I am not able to manipulate many parameters with ACS 5.3
Version of this browser is extremely stupid with ACS 5.x, but it shows not all message boxes. It just does not display the page when you click on the link.If different browsers show the same question, I would say that you restart the machine (physical or virtual) completely and try again.
It is also best to upgrade to the latest patch, if this is not already the case.
Greetings,
Amjad
Rating of useful answers is more useful to say "thank you".
-
Renew the certificate - Cisco VPN (the router)
Hello!
I have to renew my certificate and I need to do this, generate a new CSR.
My doubt is if I generate a new CSR my current certificate will be lost or not.
The command I use to generate a new CSR is:
# crypto ca enroll XXX
Thank you.
Hi Anderson,
If you create the CSR in a different trustpoint, you will not lose the current certificate.
It may be useful
-Randy-
-
5.4 double certificate option Cisco ACS
Hello Experts
I wonder if anyone knows if I can get two certificates on my Cisco ACS 5.4 server. The documentation says I can have it as long they have different 'from' and 'to' dates with a same name CN. However, this is a production server and wanted to if sure before I make changes. I currently have a certificate installed and everything works well but need to add a second for migration purposes.
Hovsep Armeni
LAN, UKA certificate can be linked to these two services (HTTP and EAP), however, each service can only be associated with a single certificate. Thus, for example, you cannot have two certificates that are related to the EAP process.
Thank you for evaluating useful messages!
-
With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices
Hi all
I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are
Juniper M10i running Junos 9.2, M120
M320 running Junos 8.5 Juniper
Extremes of BD8810 and BD8806 running 12.4.1.17 XOS
3804 Alpine extreme Extremeware 7.8.3.5 running
My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you
/ John
John,
We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:
set system login user uid of engineering 2000
Set system login user engineering genius-class class
set the connection user uid to NOC 2001 System
Set system login user AC AC-class classdefine the system connection Engineering-class idle-timeout 15
define a connection system class engineering-class permissions all
define the system connection AC-class idle-timeout 15
define the connection class AC system class view permissions
Set connection AC-class permissions see the system configurationWe use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.
Hope this helps.
Derek
-
The upgrade to Cisco ACS SE and Remote Agent
Hello
Currently we are upgrading the PDC to Windows Server 2008, Standard Edition R2.
I am little confused with information available for upgrade scenarios. Appearing on the current working versions.
Cisco ACS SE - version 4.1 Build 23 5 Patch 1
Cisco ACS Remote Agent version 4.2 (0.124)
The new operating system will work on 64-bit, I think that the current ACE SE and the remote agent can / must be upgraded.
My existing versions, give the possible scenarios of upgrade available for me. After that upgraded SE and Remote Agent should work for the 64 bit OS.
Thanks in advance!
Yes, it is not possible to upgrade the ACS ACS 5.2 existing to level 4.1. They are two different boxes run on a different platform.
Unfortunately ACS 4.x does not support windows 2008 r2.
5.2 ACS is the only option left, and you will need to buy a new box of seprate with the new licnese for this.
Concerning
Bellefroid
Note the useful messages
-
How to restore the password on Cisco ACS 5.4
Hello!
Try to restore the Cisco ACS 5.4 password installed on vmware. Where can I get the password recovery DVDs? There is no software in the list on the site.
TAC may provide to you. You will need to open a folder and the application.
HTH
-
Cisco ACS 5.2 authentication and authorization processes
I am designing a network and I asked me a few questions that I don't know how respond to those so I thought putting it in the forum to see if I can get help.
First, thank you very much for reading this post and thank you if you can add comments to help out me.
installation program:
Two ACS on each center data in Server and application to the switches by dc + hybrid mode the Ganymede and fold to the other on the failure scenario.
ACS - version 5.2 planning upgrade to 5.8, if she is stable.
Result of the will
If users fails authentication AD then it should be rejected.
If defective AD on ACS and ACS needs to check the other ACS and other ACS has connection AD, then it should demand more diver ACS...
I'm sure it is not possible, but that it was the main application... I disputed so now the new request
If AD fails ACS should fall back to the local database. If the local database is not authenticte then it should allow to switch to interrogate the same request of ACS secondary rather then to reject the application.
Litt: local database is reserved for the network admin but maybe some contractor need to access switches and other devices and they will have the entry in listing so if fails AD, they can always authenticates agaist DC2 AD via DC2 ACS.
I think to set up
Authentication rule 1 - authenticate again AD,
If authentication failed - Reject
If usernot has been found - reject
If the process failed - continue
This should take by default which will be the internal database.
If authentication failed - Reject
If the user has not found - drop
If the process failed - drop
This should give no answer to switch and then switch should try the second radius server in the list...
Please someone explain this flow chart for me... and it's correct assumptions...
I would like to know if there are a few good diagram that I can refer to see the whole process and can use in my presentation...
Thank you very much for reading and you answer it...
Hello
I'm not sure I get your question, but I will try to answer in the way that I understood.
If you send a drop as a result, this means that ACS deposited the request, causing the AAA client to try again another failure on toward another AAA server.
A tree had fallen on the community a few years ago:
(https://supportforums.cisco.com/discussion/11811801/aaa-servers#3931298)
I hope that's what you are pregnant.
-
Register with different versions of the CSA to Cisco ACS primary
Hello, I updated a backup unit of two ACS to the 5.4.0.46.0a version first I changed it to standalone, and now I'm trying to save for the main CSA that is running the 5.1.0.44.2 version
And I get this error
This failure has occurred: com.cisco.nm.acs.im.certificate.Certificate; incompatible local class: stream classdesc serialVersionUID = 8507982043664257993, local class serialVersionUID = 1927357986028617243. Your changes have not been saved. Click OK to return to the list page.
What can I do to solve it?
Kind regards
The primary and the secondary must be run on the same code.
Jatin kone
-Does the rate of useful messages- -
How to open the port 161 on the ASA and Cisco switches for monitoring of BB
Dear all,
I want to install BB to monitor snmptraps suffering of failure.
The newspaper shows BB cannot connect to all ports of the switch 161, and I even can't telnet to 161 XXX_17f for example.
My switches are Cisco C3550, C2950, etc. of the ASA.
Mon 7 Nov 15:43:03 2011 bbnet cannot connect to the server XXX_17f on port 161
Mon 7 Nov 15:43:03 2011 bbnet cannot connect to the server XXX_9f on port 161
Mon 7 Nov 15:43:03 2011 bbnet can't connect to XXX server on port 161
Thank you
Anson
no need to adjust anything in bb-hosts. If you have added setings in bb-hosts, delete them. Also remove associated in bbvar/logs log files. (otherwise, you'll have purple when you delete the SNMP, trap tags bb-hosts)
A column of trap will be that no show until the device sends a trap to BB.
-
Hello.
I would like to upgrade our current ACS NT Terminalserver edition server to a Win2000 server. Since this upgrade requires a fresh installation (since a direct upgrade from NT 4 TS to w2k is not the best thing to do). My question is, do I have to do to ensure that I can keep my user database active? Is replication the answer? And replication will make a copy of all the different users/groups/routers etc etc. In other words, I'll be able to do this upgrade without too much trouble?
I speak here of a replication of the database, do not configure replication between servers ACS.
Here is the doc that will help you to do this
http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/csnt30/user/AE.htm
-
SAN HQ and Director of the group do not allow for SMTP authentication.
Hello
I have a new 6510E and I would like to receive alerts by e-mail. Unfortunately, we use Google Apps and Gmail requires authentication. What is Dell offers a workaround for this problem?
Thanks in advance!
Hello
I'm sorry, but not at the moment. Alerts require direct access to a SMTP sever.
The only thing I can suggest is setting up a local SMTP server and configure it to be a relay SMTP to Google mail.
support.Google.com/.../2956491
Kind regards
Maybe you are looking for
-
I have a HP EliteBook 8440p with an i5 processor, and I noticed that the same model is available in aversion of Intel Core i7-720QM quad coreusing the same chipset. Is it possible to buy this particular processor and upgrade the laptop? If so, are th
-
Scope Agilent MSO6104A and IVI steps
Hello I use scope Agilent MSO6104A that is connected via Gbspecifications FOR. I would like to control the scope by following the steps in TestStand IVI (TestStand 4.2). I have downloaded the driver 'IVI - COM, IVI - C Version for 5000, 6000, 7000, 5
-
Just change the administrator account for standar now the computer keep on asking the password I continue to put the one I use to have but nothing happen how to find the password, usted an i have I removed it now what?
-
Hello I have a 1285dx 17 "laptop dv7 (model name: NB252UA - serial number: CND9032ZNX) with Windows 7 64. And I am following and install ALL the updates from the HP site. It worked fine until a few days ago... The Audio sound sliding volume & Mute +
-
Irish of Smartphones blackBerry for Blackberry "BOLD"?
Anyone know where and how to get the Irish (gaeilge) language of the user for BB "BOLD"? Thanks in advance for your answers. G.