cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1712
Views
5
Helpful
1
Replies
Beginner

How to generate CSR on switches for web auth with NGS

Hello

I am doing a dot1x solution with web auth on cisco 3750 switches.

Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.

I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.

Is there any way to solve this?

Greetings

Steven

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: How to generate CSR on switches for web auth with NGS

Hi Steven,

The below document is actually for IOS SSLVPN, but the certificate portion should be the same:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html

Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.

Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".

This document goes into a little more detail on all the indivual commands and what they do:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html

Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.

Thanks,

Nate

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

Re: How to generate CSR on switches for web auth with NGS

Hi Steven,

The below document is actually for IOS SSLVPN, but the certificate portion should be the same:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html

Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.

Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".

This document goes into a little more detail on all the indivual commands and what they do:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html

Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.

Thanks,

Nate

View solution in original post