06-09-2005 06:46 AM - edited 03-10-2019 02:11 PM
Hello
I'am testing acs3.2 with peap using a certificat initiate by a windows 2003 DC CA .And the model of certficat "web server" can't be modified for "mark keys as exportable" ,so for Microsoft the entreprise edition of windows 2003 is needed ! With windws 2000 it was possible .
I appreciate any assistance or any idea.
06-15-2005 11:21 AM
It is unclear to me on what your are trying to get. Are you trying to get the certificate for your ACS through PEAP? What is the CA you are using? Can you elaborate a bit on your requirement.
06-16-2005 05:14 AM
Yes ,i use acs 3.2 throuh PEAP (mschap-v2) to validate switch port with 802.1x protocol.First i had a windows 2000 AD (it works fine !).This Ad certificate autority gave to the acs server a certificate (Web model ) witch can be used by supplicant over the lan .But now i test the windows 2003 server edition and the certificat "web Server" option "Mark keys as exportable" is greyed out.
So if i take a model such as administrator (v1 model) ,the error in the acs log is "EAP-TLS or PEAP authentication failed during SSL handshake" whitch is logic .
06-27-2005 11:44 PM
I am setting up the same environment. Window Server 2003 AD and CA with ACS 3.3. Hosts will authenticate with PEAP.
I was wondering if you found a solution to make the certificate exportable so it can be used with ACS? Did you have to modify the certificate template manually?
Does Cisco have documentation for this?
06-28-2005 12:55 AM
hello ,
I just find the solution to use windows 2003 server entreprise witch can use new certificate template (serveur web with exportable keys ..) use par Cisco secure ACS,i test it works fine ,but i would like to stay in a windws 2003 santard edition .
i accept any else solution in a windows 2003 server environnement (AD ) .
06-28-2005 09:58 PM
Can you please let me know how you created the new certificate template for a web server certificate (to be used with ACS) with Windows 2003 Server Enterprise?
I have a mark certificate as exportable greyed out, when i submit a new certificate request using the web server template.
Thanks
06-29-2005 07:07 AM
hi
here is the dirrefet step you have todo ,but it unfortunately works only with the windows 2003 entreprise
1. Start > Run > certmpl.msc
2. Right-click Web Server template and choose Duplicate Template
3. Name the template something easy to identify like ACS.
4. Go to the Request Handling tab and check Allow private key to be exported.
5. Click on the CSPs button and check Microsoft Base Cryptographic Provider v1.0 and
click OK.
6. All other options can be left at default.
7. Click Apply and OK.
8. Open the CA MMC snap-in.
9. Right-click Certificate Templates and choose New > Certificate Template to Issue.
10. Choose the new template you created and click OK.
11. Restart the CA.
The new template will be included in the Certificate Template dropdown.
06-29-2005 03:35 PM
Thanks for that information, I'm sure it will help a lot of people.
I should of explained my self better. I completed those steps previously, although the cisco documentation on the following site has the Key Usage "both" checked. When I create this certificate I only have the option of "Exchange". Does "both" need to be checked? Will it cause problems if "Exchange" key usage is only used?
Thanks for your help.
06-30-2005 03:38 AM
hi
no matter with peap this option causes no problem (ACS 3.2/active directory/switch 2950G/supplicant: windows xp)
Bye
.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide