Do I need 2 certificates for the ACS5.2 cluster

txing · ‎07-07-2011

We have 2 Cisco ACS 5.2 appliances configured as a Cluster (Primary and Secondary), I already purchased and installed one SSL certificate for the Primary, this certificate is for PEAP authentication, but I noticed that on the secondary ACS, the certificate is not there, and I tried to export the certificate and install it on the secondary, but it said the certificate with the same SKI already exits, can't install. Do I need to buy another certificate for the secondary ACS? How can I have the same name for 2 Certificate? Did I miss anything?

Any help will be appreciated!

Thanks

Tom

Nicolas Darchis · ‎07-14-2011

Having the same name on the 2 certificates would require to have the 2 ACS having the same DNS hostname which is impossible I'm afraid

Andrew Chan · ‎09-21-2011

Actually, I have the same problem.

The certificate is used for PEAP authentication so that the WIFI client can verify the server identity.

Since it is a cluster setup, when I install the certifcate on one ACS and the name got replicate to the other cluster however the certificate is missing on the others. I try to upload the same certificate and also try to upload another copy of certifcate with same name, I got error and it does not allow me to install the certificate.

Currently I have multiple certifcates with different names and need to setup a long list of server names on laptop wifi configuration. I don't even think about adding a new ACS into cluster as it requires changing all the client setting.

Is this a bug or feature?

ewood2624 · ‎09-21-2011

You can do a local cert issued from your CA and import them into both ACS. It's a little more time consuming since you'll have to push them out to all the clients. I used a GPO to push them out to the windows clients and made our apple devices prompt for the cert on initial log on.

Sent from Cisco Technical Support iPad App

Andrew Chan · ‎09-22-2011

It is not the CA or local cert that I need to push out to user. It might not be a problem for devices that does not validate server certificate. In windows 7, when I first connect to a wireless SSID, it automatic create a wireless profile and detected the server certificate returned by PEAP and automatically put the server name on the cert to the profile and checked the trusted CA used to sign the server certificate. It is working fine until the WLC decided to authenticate through a different ACS (failed or in a different region) and the certificate returned from other cluster does not match the name of the original certificate name and refused to connect. The workaround is to put in all the acs names in the profile manually. It would be nice to have ACS to be able to use certificates with same name throughout the cluster. We use signed certificates from trusted CA and whether it is the same certificate or differenet certificates with same name is just licensing issue. Adding a ACS to the cluster means we need to install another certificate on the new memeber with a new name and we will need to ask user to update the profile with the new name. I don't really want to go there.

Is there any other workaround?

mcb_cco · ‎06-14-2013

Unfortunately this doesn't work either...

Can someone confirm this is resolved with:

CSCtj15764

ACS 5 does not accept two certificates with same SKI.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html

Jatin Katyal · ‎06-14-2013

This seems to be fixed in ACS 5.2 patch 2.

Jatin Katyal
- Do rate helpful posts -

~Jatin