cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1001
Views
5
Helpful
3
Replies

Managing multiple certificate on ACS server

Joshuskarki
Level 1
Level 1

Hi!

I am sorry if this topic was already discussed in this forum!

I think the ACS (5.6.xx) can't do more than a single identity certification for EAP-TLS authentication (please let me know if I am wrong and can be installed multiple certificates into it). Now, how do / did you guys do in a large environment when you had / have to migrate a Cert from sha1 to sha2 gradually (not at once), specially for wireless .1x eap-tls authentication?

Anyone can share your experience / ideas / directions on this with me? Thank you!

-Josh

3 Replies 3

Gagandeep Singh
Cisco Employee
Cisco Employee

In order to migrate cert from SHA1 to SHA 256.

You have to generate new CSR and get new cert from signing authority and get it replaced on ACS. The moment you bind new SHA2 cert, it will automatically replace EAP protocol from the old certificate.

Also for you information, we can only have one EAP and one Management certificate reside in ACS. It can be on single or 2 different certs.

Regards

Gagan

ps: rate if it helps!!!!

Hi Gagan,

Thank you for confirming that the ACS do not do more than one certificate for EAP authentication and I think the same applies for ISE as well.

I have no problem generating a CSR and adding back to the system after signed by CA. I am here to know the best practices that usually people follow to do a migration from sha1 to sha2 in a big environment.

We are a big size company and today, all users store certs with sha1 fingerprint for authentication that requires cert. The team is pushing another certs with sha2 gradually to all users globally and that might takes about 1 to 2 months to complete. During the time of this rollout, specially for those users have got both the certs on their computer, I like to see the authentication is smooth in authenticating between ACS (RADIUS) and the client computers. What I am seeing from some of the users when they have got both the certs installed, it picks wrong certificate to authenticate with ACS, in this case the new cert with sha2 which I don't even have installed on ACS yet.

Now, how do you guys deal with such issues telling either to the client or RADIUS to use right cert for auth when there're multiple certs stored in a client computer.

I know NAM can do this from client side but it is not an option for now and I am not aware if there's such thing exist on windows itself and can overcome by such issue.

Thanks,

Josh

Yes, it does the same thing in ISE.

Ideally client has to decide and send cert to ACS during EAP-TLS flow.

We also have to maintain trust relationship b/w client and ACS in terms of CA cert with intermediate in trsuted store.

Regards

Gagan

ps : rate if it helps!!!