CAS 3.2 Peap certificat model windows 2003 web server cant'be modified

roger.le-verge · ‎06-09-2005

Hello

I'am testing acs3.2 with peap using a certificat initiate by a windows 2003 DC CA .And the model of certficat "web server" can't be modified for "mark keys as exportable" ,so for Microsoft the entreprise edition of windows 2003 is needed ! With windws 2000 it was possible .

I appreciate any assistance or any idea.

ebreniz · ‎06-15-2005

It is unclear to me on what your are trying to get. Are you trying to get the certificate for your ACS through PEAP? What is the CA you are using? Can you elaborate a bit on your requirement.

roger.le-verge · ‎06-16-2005

Yes ,i use acs 3.2 throuh PEAP (mschap-v2) to validate switch port with 802.1x protocol.First i had a windows 2000 AD (it works fine !).This Ad certificate autority gave to the acs server a certificate (Web model ) witch can be used by supplicant over the lan .But now i test the windows 2003 server edition and the certificat "web Server" option "Mark keys as exportable" is greyed out.

So if i take a model such as administrator (v1 model) ,the error in the acs log is "EAP-TLS or PEAP authentication failed during SSL handshake" whitch is logic .

jasontedesco · ‎06-27-2005

I am setting up the same environment. Window Server 2003 AD and CA with ACS 3.3. Hosts will authenticate with PEAP.

I was wondering if you found a solution to make the certificate exportable so it can be used with ACS? Did you have to modify the certificate template manually?

Does Cisco have documentation for this?

roger.le-verge · ‎06-28-2005

hello ,

I just find the solution to use windows 2003 server entreprise witch can use new certificate template (serveur web with exportable keys ..) use par Cisco secure ACS,i test it works fine ,but i would like to stay in a windws 2003 santard edition .

i accept any else solution in a windows 2003 server environnement (AD ) .

jasontedesco · ‎06-28-2005

Can you please let me know how you created the new certificate template for a web server certificate (to be used with ACS) with Windows 2003 Server Enterprise?

I have a mark certificate as exportable greyed out, when i submit a new certificate request using the web server template.

Thanks

roger.le-verge · ‎06-29-2005

hi

here is the dirrefet step you have todo ,but it unfortunately works only with the windows 2003 entreprise

1. Start > Run > certmpl.msc

2. Right-click Web Server template and choose Duplicate Template

3. Name the template something easy to identify like ACS.

4. Go to the Request Handling tab and check Allow private key to be exported.

5. Click on the CSPs button and check Microsoft Base Cryptographic Provider v1.0 and

click OK.

6. All other options can be left at default.

7. Click Apply and OK.

8. Open the CA MMC snap-in.

9. Right-click Certificate Templates and choose New > Certificate Template to Issue.

10. Choose the new template you created and click OK.

11. Restart the CA.

The new template will be included in the Certificate Template dropdown.

jasontedesco · ‎06-29-2005

Thanks for that information, I'm sure it will help a lot of people.

I should of explained my self better. I completed those steps previously, although the cisco documentation on the following site has the Key Usage "both" checked. When I create this certificate I only have the option of "Exchange". Does "both" need to be checked? Will it cause problems if "Exchange" key usage is only used?

Thanks for your help.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#acs-1

roger.le-verge · ‎06-30-2005

hi

no matter with peap this option causes no problem (ACS 3.2/active directory/switch 2950G/supplicant: windows xp)

Bye

.