topic Re: ACS - SSL - LDAP cert7.db in Network Access Control

ACS - SSL - LDAP cert7.db

adipop777 — Sun, 10 Mar 2019 21:03:27 GMT

I have following configuration:

Catalyst 2950G-proximity switches with IOS 12.1(19)EA1c.

Cisco Secure ACS Appliance 3.2.3.11

SunONE Directory Server ldap server version 5.2_Patch_2

I am trying to setup 802.1x authentication for wired and wireless clients, with VLAN parameter provided by using group mapping with ldap groups.

I used Microsoft Certificate Services to create a corporate CA.

I authenticated against it the ACS and SunONE Ldap Directory Server.

I successfully installed the certificates and activated PEAP.

The Ldap server works in SSL, Have other applications using it in SSL mode.

I have a hard time accessing the ldap server in SSL mode from the ACS. (In clear mode everything works well, I can map groups and everything.)

Tried to generate the cert7.db using NSS 3.6.1 (compatible cert7.db format)

In the following format:

MyCA CT,C,C

ldap-server P,P,P

using the certificates used for SSL activation on ldap-server and following commands.

certutil -A -n MyCA -t CT,CT,CT -a -i /path/ca-cert.cer -d /path_acs_db -P ""

certutil -A -n ldap-server -t Pu,Pu,Pu -a -i /path/server-cert.cer -d /path_acs_db -P ""

No luck, doesn’t work !

Tracing the ssl protocol, I have "certificate unknown" error 46 from ACS Appliance after Server Hello, Certificate sequence

The only one document that I found about setting using ssl to connect to an external ldap-database is this one:

http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/ldcsa_wp.htm

using CMS or previously known as Netscape CMS (Certificate Management System) previously known as Netscape CMS. The End of Life of this product was July 01, 2003.

I have no ideea where to take this product from

and the procedure it is not applicable to a ACS Appliance where I can not install a Netscape browser

Re: ACS - SSL - LDAP cert7.db

dbshah2000 — Wed, 16 Mar 2005 05:51:14 GMT

I did it this way

I downloaded Softera LDAP browser for Windows.

I browsed the LDAP using a SSL , ( Softera ldap browser has a small check box , try to use secure conenction).

Its available here. YOu only need the eval version

http://www.ldapadministrator.com/

Once you are able to successfully conenct to you ldap using the credentials ( login/password, & CN given).

You sipley close the browser & then go to its installed dir ( typically c:\program files\....)

& copy the cert7.db & other files to a dir for e.g C:\certificates & point ACS to use those.

It worked like charm for me. I hope it does for you as well.

If it does, pls reply to this post.

regards

dharmesh

Re: ACS - SSL - LDAP cert7.db

adipop777 — Wed, 13 Apr 2005 11:19:44 GMT

Hi there. Thank you. Your solution does not work for me, I use CISCO ACS Appliance (not ACS on Windows box). It is a closed box. I can not install anything on it other than patches for ACS itself.

There is anywhere a documumentation on how to get cert7.db for ACS?

I took the books on SSL, build a real PKI using openSSL 0.9.7e, generated the certificates corectly for CA, PEAP, LDAPS, cert7.db and I have the very same problem, the ACS refuses the certificate of the LDAP server. There are some particular token statements in the key ?

thanks for your time.

adip