Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1677
Views
5
Helpful
3
Replies

Unable to Access CSACS 5.3 Web Interface...

millerdl
Level 1
Level 1

‎04-29-2013 03:11 PM - edited ‎03-10-2019 08:22 PM

Hi Everyone,

I wanted to note an issue I ran into today with our MS Windows 7 workstations and 2008 servers being unable to access the web management interface on our instance of ACS 5.3 and its solution, which is outlined below:

########################

###      The Problem      ###

########################

When I tried accessing the web management interface on our ACS 5.3 appliance, the browser was unable to connect.  NMS applications showed that the device was up and I was able access it via SSH.  I then tried connecting to 443 via telnet on my workstation and was successful in establishing a connection.  I proceeded to issue the "show application status acs" command showed all associated processes running.  I had a co-worker attempt to access it and he ran into the same issue.  I then proceeded to restart the ACS application by stopping and starting the associated processes.  After the processes were back up, attempts to connect to the web management interface still failed.  I then proceeded to reboot the appliance.  Again, after the applicance and processes were back up, attempts to connect continued to fail.  As a last ditch effort I used a portable version of Firefox to connect and was then successfully able to connect.

########################

###       The Source        ###

########################

After additional troubleshooting, it was discovered that the MS Internet Explorer patch associated with MS Security Advisory 2661254 just so happened to be the culprit.  This restricts the use of certificates with RSA keys less than 1024 bits in length.  The default management certificate just so happens to be 512 bits in length.

########################

###          The Fix           ###

########################

Using FireFox, I navigated to System Administration > Configuration > Local Server Certificates > Local Certificates.  I then proceeded to add a certificate in the following steps:

  1. Select Generate Self Signed Certificate & click next
  2. Populate the Certifcate Subject field with the appropriate DN information of the ACS server.
  3. Change the key length to 1024 or above.
  4. Check "Management Interface:  Used to authenticate the web server (GUI).
  5. Check "Replace Certificate".
  6. Click Finish.

The ACS server should then generate the new certifcate, replace the existing management certificate, and restart the ACS processes.  After everything is back up, you shouldn't have any issues in accessing the web interface.

Cheers,

Dan

Labels:
0 Helpful
3 Replies 3

edwjames
Level 3
Level 3

‎04-29-2013 03:19 PM

Great job.

To add to it, here is the workaround (if the cert cannot be replaced immediately):

certutil -setreg chain\minRSAPubKeyBitLength 512

Run this on the PC accessing the page.

Rate if useful

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Amjad Abdullah
VIP Alumni
VIP Alumni

‎04-30-2013 10:45 PM

Hello Dan,

Thank you for trying to share the information you have.

Note please if you want to share information you can post a document, not a discussion.

You can convert this discussion into a document from the right pane menu.

Greetings,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Vinay Sharma
Level 7
Level 7

‎05-13-2013 05:10 AM

Thanks Daniel for posting this information as a Document https://supportforums.cisco.com/docs/DOC-32664.

Regards,

Vinay Sharma

Community Manager

Thanks & Regards
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents