07-31-2012 03:17 AM - edited 03-10-2019 07:21 PM
Hello Community,
i want to authentificate my Clients with certificates.
I want to create an self-signed Certificate von my ACS 4.2.
When u create an self-signed Certificate, there are 3 Files:
Certificate File:
Private key file:
Private key password:
After creating , i take this certificate and go to my Windows XP Client install it and enable 802.1x authentification : is this right ?
How can i implement this self-signed certificate to my domain ?
How do clients handle the private key ?
iam also got thinclients where i can use certificates, but i dont know how to use the private key.
regards
07-31-2012 03:39 AM
Sebastian,
This is not the proper way, the self signed cert is for this acs only. You will need to deploy a windows ca, and use the auto enrollment feature so that all domain machines will receive a cert. Next you will have to generate a certificate signing request on your acs and submit this to your CA. After your receive your signed certificate, you will install this on the acs. Finally you will have to configure all your clients to use eap tls to authenticate to the network.
Thanks
Sent from Cisco Technical Support iPad App
07-31-2012 03:49 AM
hello Tarik,
thank u for your fast answer.
But is that possible that the clients use the self signed certificate ?
regards
07-31-2012 04:52 AM
Sebastian:
You can use the self signed certificate on your clients. The one that you will download from ACS is actually the root CA certificate and you need to install it on the clients. When you choose the trusted root certificate for your EAP method (say PEAP) you choose this CA certificate to be used. (or you can configure to trust whatever available CA root certificate. it depends on the supplicant that you use).
You don't need to do anything with the private key at this point. Just install the certificate (root CA cert) on your clients so they trust the self signed certificate generated on the ACS.
see the answer in this post: https://supportforums.cisco.com/thread/2005569
HTH
Amjad
08-02-2012 03:38 AM
Amjad,
The ACS self signed certificate means that there isnt a root certificate in this setup.
Sebastian,
If you are trying to use eap-tls to authenticate your clients, then you will have to follow the steps above.
thanks,
Tarik Admani
*Please rate helpful posts*
08-02-2012 05:55 PM
Tarik: you can generate self-signed cert and use the generated certificate as a root certificate on clients. Otherwise, what is the point of generating self-signed certificate if you can not implement PWAP auth (for example)?
I am using self signed cert in my setup and it is working perfectly with the way I explained.
HTH
Amjad
Sent from Cisco Technical Support iPad App
08-02-2012 06:02 PM
You are correct but Sebastian was asking for client authentication.
The only purpose of installing the acs ssc is so it will trust the radius server for authentication, and not prompt the user to trust the cert. it's better to not validate the cert in these conditions, but that is my opinion.
Thanks,
Sent from Cisco Technical Support iPad App
08-03-2012 03:24 AM
Exactly Tarik.
I supposed he is using PEAP not EAP-TLS.
If he is using EAP-TLS then you are absolutely right and a cert from a trusted CA is needed.
Sent from Cisco Technical Support iPad App
08-03-2012 07:10 AM
Amjad,
The first line sates that he would to authenticate his clients with certificates, that means eap-tls.
Thanks,
Sent from Cisco Technical Support iPad App
03-13-2017 11:18 PM
Hi Guys,
Pls help me.
Requirement: Only laptop/desktop which are registered with domain should connect to specific SSID.
As i seen some document they are telling to generate CA root certificate and then to try.
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/64067-peap-1-19-config-guide.html#t22
can i know how can i generate CA root certificate from ACS server.
Regards,
naveen.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide