Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
996
Views
0
Helpful
6
Replies

EAP-TLS on ACS v4 for wireless users

balsheikh
Level 1
Level 1

‎11-08-2006 02:34 AM - edited ‎03-10-2019 02:49 PM

Hi,

I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.

As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.

Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.

Regards,

Belal

Labels:
0 Helpful
6 Replies 6

jverkerke
Level 1
Level 1

‎11-08-2006 10:33 AM

I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...

Setup a Microsoft Certificate server as my

CA. You can use same machine wih your ACS and CA.

Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.

On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.

At that poit you should be able to connect you r wireless client using EAP-TLS.

0 Helpful

balsheikh
Level 1
Level 1
In response to jverkerke

‎11-10-2006 01:55 AM

Hi,

First of all thx for your assistance..

I need more clarification from your side plz, kindly be noted that I have stand alone ACS appliance but I arranged a CA server. Once I generated certificate signing request from ACS I got it on the right half page with the header said (Now your certificate signing request is ready. You can copy/paste it to any certification authority enrollment tool) what is the next step here!!

I managed to get both certificates for ACS and the supplicants and the EAP-TLS certificate was enabled but how I could upload the Server certificate to the ACS and install it !!

Appreciate your feedback..

Regards,

Belal

0 Helpful

jverkerke
Level 1
Level 1
In response to balsheikh

‎11-20-2006 04:42 PM

When you see the message copy and paste certificate signing request, caopy all those info(that is you servers info to request certificate from CA. Then open up a browser to access the CA (http://CA-address/certsrv), do that in ACS, then select "request a certificate'then advance cert request' then submit certificate request using ...'... from there follow the on screen instruction up to installing the certificate to the server...

0 Helpful

mmmoookkk
Level 1
Level 1

‎11-23-2006 05:03 AM

Hi

this is the guide to build the 802.1x for wired lan but it covers the CA configuration and certificare creation process in detail. I hope this helps.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#p15

http://technet2.microsoft.com/WindowsServer/en/library/d7a495c3-5e46-4b35-a236-34a4d4ad0f091033.mspx?mfr=true

best regards

Motti

0 Helpful

balsheikh
Level 1
Level 1
In response to mmmoookkk

‎11-25-2006 04:55 AM

Hello,

Thanks for all of you..

I did it successfully.

Attached the exact required document for installing and configuring the CA root, the server certificate & client certificate.

Regards,

Belal

Preview file
46 KB
0 Helpful

mmmoookkk
Level 1
Level 1

‎11-26-2006 03:41 AM

hello

the self signed certificate is mostly used to allow the HTTPS administration of the acs and allow peap authentication. the certificate the ACS created does cannot be used as a client certificate since the usage key of the certificate doesn't allow this and cause your pc probably doens't recognize the ACS as a trusted CA server.

you should check if the laptop you are using shows the acs certificate in the ca server list in the NIC configuration under authentication. if so then just mark the V beside it and the winXP should be able to use it.

hope you find what im talkig about... I've attached a picture for you.

Preview file
78 KB
0 Helpful
Customers Also Viewed These Support Documents