Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
0
Helpful
3
Replies

ACS certificate problem!Plz help

alexc2010
Level 1
Level 1

‎11-08-2010 05:26 AM - edited ‎03-10-2019 05:33 PM

Hi All,

I have ASA and I am using ACS server is a VM Ware applicance.

My question now is I would like to authenticate two different types of devices from a single Radius client.

Device 1 – Authenticating using Username and Password from Domain1 and Device Certificate from CA1

Device 2 – Authenticating using Username and Password from Domain 2 and User Certificate from CA2

Can a single Cisco ACS server be configured to do this? If not can 2 Cisco ACS servers be configured to do this bearing in mind it is a single Radius client which can only direct authentication traffic to a single Radius server?

I am using EAP method as a local certificate for that CA which is been istalled on the ACS and that cert which is locally needs to be assigned to the EAP Protocol.

Hence to proceed further I want to authenticate EAP against  a second certificate authority. I can load a local certificate from this CA as well but the EAP protocol can only be assigned to one cert at a time so EAP authentication to this CA fails.

EG: I see the certificate cert1 under System Admin->Config -?Local certi -? Issueby cert1 protocol:EAP.

Error on the client says : No root certificate installed to validate authentication.

Any update on this would be appriciated.

Thanks in advance.

Regards

Alex.

Labels:
0 Helpful
3 Replies 3

Nicolas Darchis
Cisco Employee
Cisco Employee

‎11-08-2010 10:53 AM

Hi,

yes it's quite easy. ACS can authenticate against 2 CAs, you simply have to add those 2 CA certificates in the CA trust list.

I think you have a kind of confusion on the certificate topic.

The certificate you install on ACS must be a certificate that the client will trust.

The client certificate must be a certificate that ACS trusts.

To trust the client certitificate, it must be issued by a CA that the ACS trusts to be more precise so it just requires you to have added that CA to the trusted Authorities in ACS.

For the client to trust the ACS, the ACS certificate needs to have been issued by a CA that the client trusts. So if your client are from multiple different domains, then you need to manually install the ACS certificate (or its CA) on the clients.

Hope this clarifies.

Nicolas

===

don't forget to rate answers that you find useful.

0 Helpful

alexc2010
Level 1
Level 1
In response to Nicolas Darchis

‎11-09-2010 01:55 AM

This is what I am tried to configure but it fails. If you could provide me your email address I can send you the screen shots.

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to alexc2010

‎11-09-2010 02:45 AM

I have a personal policy of not giving my email address to everyone sorry :-)

But you can attach screenshots to forum messages so that everyone enjoys them.

The place to go to trust several CAs is : system config-> ACS certificate setup - > edit certificate trust list. This allows you to enable the trust against those CAs.

But before that you need to have uploaded the CA cert in "ACS Certification Authority Setup"

0 Helpful
Customers Also Viewed These Support Documents