Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
843
Views
0
Helpful
5
Replies

acs in ha with certificate eap expired

ivan.martin
Level 1
Level 1

‎03-18-2015 03:04 PM - edited ‎03-10-2019 10:33 PM

 

Hi my name is Ivan, I have a question:

I have two cisco acs version 5.4 servers in HA primary and replica 802.1x providing services for users and computers, integrated corporate Active Directory. servers have a certificate to authenticate users and comptadoras by PEAP MSCHPv2. This certificate installed on the acs server has expired. The certificate is obtained by performing the request from the acs server and download it with a CA microsoft server.
As I can do to re-install the certificate, since the units are in HA, 802.1x and provide the services again?

Thanks for your answers.

Regards.

Ivan.

Labels:
0 Helpful
5 Replies 5

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎03-18-2015 03:19 PM

Hi Ivan,

I didn't understand the question? Are you looking for a way to import the new certificates? If yes, then go to System Administration------> Local server certificates--->Local certificates---->and do import server certificate or Bind CA signed certificate. Select the replace certificate option and that is all you need to do. Bind it with EAP and Management interface. 

Or you are looking for something else?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

0 Helpful

ivan.martin
Level 1
Level 1
In response to Kanwaljeet Singh

‎03-18-2015 05:10 PM

Hi, Thanks for your answer

I need to reinstall the certificates because both have expired. But the first thing to I need to do is generate the request.

My question is if exist some steps to do it when i have a deployment in HA primary and replica.

Regards.

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to ivan.martin

‎03-18-2015 06:43 PM

Hi Ivan,

Here are the steps:

To replace the certificate in both server it is better to make each server a stand alone
unit. In other words breaking the cluster.

To break the cluster you can go under distributed deployment and select from primary
server your secondary unit and first you need to deregister and then you need to delete
it.

This will restart services in the secondary server and this may take around 5 minutes.

Once the server is back you can start the process in each server of requesting a new
certificate from VeriSign.

To do so:

Create a new certificate signing request in each server.

Export the CSR to your CA.

Install the new certificate receive from your CA under local certificates (here select
that you want to use this certificate for EAP authentication)

Delete the old certificate use for EAP once you are sure that EAP is working fine for
your clients with the new certificate.

Join both servers as primary/secondary unit under the distributed deployment section
for your secondary unit.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

ivan.martin
Level 1
Level 1
In response to Kanwaljeet Singh

‎03-18-2015 08:25 PM

Hi Fnu

I have a last question

Can I install the same certificate request from the unit primary into replica unit?

Regards.

Ivan.

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to ivan.martin

‎03-18-2015 08:29 PM

Hi Ivan,

All configuration is same except licenses and local certificates. So they have to be separate.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful
Customers Also Viewed These Support Documents