Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2258
Views
1
Helpful
4
Replies

ACS and ECC ciphers

Go to solution
berossig
Cisco Employee
Cisco Employee

‎05-30-2017 01:27 PM

Hi,

does anyone has a configuration example in order to use ECC ciphers with ACS 5.8. I noticed patch 4 support ECC for AAA flows, but i am looking for a guide and/or example in order to use it for EAP-TLS authentication.

thanks in advance!

Best Regards,

Benjamin Rossignol

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to chris-lawrence

‎05-31-2017 03:48 PM

Hi Chris,

ECC certificates use ECDSA algorithm and not RSA as you might know.

Here is the comparison of key length between RSA and equivalent ECDSA

https://www.namecheap.com/support/knowledgebase/article.aspx/9503/38/what-is-an-ecc-elliptic-curve-cryptography-certificate

Here are few things you need to know when you are creating certificates for ACS

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/release/notes/acs_58_rn.html#pgfId-454084

Here are instructions how to create a CSR using MS CA.

https://www.digicert.com/ecc-csr-creation-ssl-installation-microsoft.htm

and for apache

https://www.digicert.com/ecc-csr-creation-ssl-installation-apache.htm

Additional information on ECC

https://www.digicert.com/ecc.htm

Hope it helps.

Thanks

Krishnan

View solution in original post

0 Helpful
4 Replies 4

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎05-30-2017 05:26 PM

Hi Benjamin,

This is to support certificates that supports ECC. This can work with EAP-FAST, PEAP-TLS and EAP-TLS client authentication.

Yes, you need the root/sub-ordinate CA to be in the trusted store for the user certificate to be validated like other certificate methods.

Thanks

Krishnan

0 Helpful

Go to solution
chris-lawrence
Level 1
Level 1
In response to kthiruve

‎05-30-2017 06:45 PM

Krishnan

Please elaborate how to prepare the ACS please. I am the person who ask Ben the original question for.

If this was RSA - I would place the RSA ca certificate up in the "User and Identity Stores" location and then create a CSR in the System Administration > Local Server Certificate > Local Certificates location, sign and complete the request in the Outstanding  Signing Requests.

Now I am using ECC - I would place the ECC ca certificate at the User and Identity Stores location and then generate a CSR but I noticed that the key length (512, 1024, 2048, 4096) and hash digest (SHA1, SHA256) don't match attributes of ECC.

Am I missing something?

Thank-you,

Chris

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to chris-lawrence

‎05-31-2017 03:48 PM

Hi Chris,

ECC certificates use ECDSA algorithm and not RSA as you might know.

Here is the comparison of key length between RSA and equivalent ECDSA

https://www.namecheap.com/support/knowledgebase/article.aspx/9503/38/what-is-an-ecc-elliptic-curve-cryptography-certificate

Here are few things you need to know when you are creating certificates for ACS

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/release/notes/acs_58_rn.html#pgfId-454084

Here are instructions how to create a CSR using MS CA.

https://www.digicert.com/ecc-csr-creation-ssl-installation-microsoft.htm

and for apache

https://www.digicert.com/ecc-csr-creation-ssl-installation-apache.htm

Additional information on ECC

https://www.digicert.com/ecc.htm

Hope it helps.

Thanks

Krishnan

0 Helpful

Go to solution
chris-lawrence
Level 1
Level 1
In response to kthiruve

‎05-31-2017 05:25 PM

Thanks for this info...Chris

Sent from my iPad

0 Helpful
Customers Also Viewed These Support Documents