Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1763
Views
0
Helpful
3
Replies

Alerting on an expired certificate

richardblair1
Level 1
Level 1

‎02-24-2014 01:41 PM - edited ‎03-10-2019 09:27 PM

Is it possible with ACS 5.x to send an alert when a certificate used for 802.1x is about to expire?

Labels:
0 Helpful
3 Replies 3

blenka
Level 3
Level 3

‎02-26-2014 02:46 AM

You can configure the parameters for each CA, which will apply to all the URLs that are configured to the CA. ACS supports two download modes, one for periodic download, and the other for downloading the next CRL update just before the previous is about to expire.

0 Helpful

richardblair1
Level 1
Level 1
In response to blenka

‎02-27-2014 07:30 AM

I am actually looking at an instance when the certificate itself expires.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to richardblair1

‎03-11-2014 10:08 AM

Hey Richard,

There is an enhancement request filed for the same. Please take a look:

CSCul13208    ACS ENH Acsview certificate expiry alarm 

<B>Symptom:</B>
There should be generic alarms in ACS 5.x that will notify ACS administrator that Identity Certificate(s) will expire soon.
Similar alarms are included in ISE 1.2 in Alarm Settings ('Certificate Expiration' and 'Certificate Expired')

<B>Conditions:</B>
Using Identity Certificates in ACS 5.x configuration.

<B>Workaround:</B>
Configure alarm thresholds with Criteria for Failure Reasons like:
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate
however such alarms will be triggered after certificate expiry date.

 

you may want to configure alerts for particular Failure Reasons like i.e .
"Failure Reasons: 12520 EAP-TLS failed SSL/TLS handshake because the client rejected the
ACS local-certificate" and other you have listed below from the time problem happened:
"11514 Unexpectedly received empty TLS message; treating as a rejection by the client"
"12321 PEAP failed SSL/TLS handshake because the client rejected the ACS
local-certificate"
Such alerts will be triggered on above events only, so after certificate will be already
expired.

You can do it ACS View menu: Monitoring and Reports > Alarms > Thresholds > Add

 

Regards,

Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents