topic Hi Ivan,Here are the steps:To in Network Access Control

acs in ha with certificate eap expired

ivan.martin — Mon, 11 Mar 2019 05:33:41 GMT

Hi my name is Ivan, I have a question:

I have two cisco acs version 5.4 servers in HA primary and replica 802.1x providing services for users and computers, integrated corporate Active Directory. servers have a certificate to authenticate users and comptadoras by PEAP MSCHPv2. This certificate installed on the acs server has expired. The certificate is obtained by performing the request from the acs server and download it with a CA microsoft server.
As I can do to re-install the certificate, since the units are in HA, 802.1x and provide the services again?

Thanks for your answers.

Regards.

Ivan.

Hi Ivan,I didn't understand

Kanwaljeet Singh — Wed, 18 Mar 2015 22:19:46 GMT

Hi Ivan,

I didn't understand the question? Are you looking for a way to import the new certificates? If yes, then go to System Administration------> Local server certificates--->Local certificates---->and do import server certificate or Bind CA signed certificate. Select the replace certificate option and that is all you need to do. Bind it with EAP and Management interface.

Or you are looking for something else?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hi, Thanks for your answerI

ivan.martin — Thu, 19 Mar 2015 00:10:16 GMT

Hi, Thanks for your answer

I need to reinstall the certificates because both have expired. But the first thing to I need to do is generate the request.

My question is if exist some steps to do it when i have a deployment in HA primary and replica.

Regards.

Hi Ivan,Here are the steps:To

Kanwaljeet Singh — Thu, 19 Mar 2015 01:43:52 GMT

Hi Ivan,

Here are the steps:

To replace the certificate in both server it is better to make each server a stand alone
unit. In other words breaking the cluster.

To break the cluster you can go under distributed deployment and select from primary
server your secondary unit and first you need to deregister and then you need to delete
it.

This will restart services in the secondary server and this may take around 5 minutes.

Once the server is back you can start the process in each server of requesting a new
certificate from VeriSign.

To do so:

Create a new certificate signing request in each server.

Export the CSR to your CA.

Install the new certificate receive from your CA under local certificates (here select
that you want to use this certificate for EAP authentication)

Delete the old certificate use for EAP once you are sure that EAP is working fine for
your clients with the new certificate.

Join both servers as primary/secondary unit under the distributed deployment section
for your secondary unit.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hi FnuI have a last

ivan.martin — Thu, 19 Mar 2015 03:25:49 GMT

Hi Fnu

I have a last question

Can I install the same certificate request from the unit primary into replica unit?

Regards.

Ivan.

Hi Ivan,All configuration is

Kanwaljeet Singh — Thu, 19 Mar 2015 03:29:37 GMT

Hi Ivan,

All configuration is same except licenses and local certificates. So they have to be separate.

Regards,

Kanwal

Note: Please mark answers if they are helpful.