Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1981
Views
0
Helpful
8
Replies

Use ACS 5.4 for TLS authentication with a certificate not in the chain

Go to solution
naorelkayam
Level 1
Level 1

‎01-31-2014 02:24 PM - edited ‎03-10-2019 09:20 PM

Hi all,

I have ACS 5.4 installed, and several wireless environments.

One uses EAP-TLS to authenticate users from our domain (self signed cetificates)

Second use PEAP and need a real external cert... (Signed by Terena)

The problem is that I can only use one certificate for EAP authentication on ACS, and I need them both to work.

I see only 2 options:

1. Configure the TLS network to authenticate without having the ACS cert in the chain (use the real one)

2. Configure somehow to use two certificates, one for each service.

Please help... im desperate.

Thanks!

Naor

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎03-05-2014 06:49 AM

You cannot have multiple server/identity certificates on ACS for different EAP flavors. As a best practice get the third-party certificate and check to associate the certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to naorelkayam

‎03-05-2014 07:40 AM

that's correct. The same identity/server certificate can be used for both eap authentication methods.

EAP-TLS deployment with ACS 5.x

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml

PEAP with ACS 5.x

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112175-acs51-peap-deployment-00.html

Let us know if you have any further questions.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to naorelkayam

‎03-05-2014 08:03 AM

yes you can use an external/public CA for EAP-TLS. Just make sure you have the complete certificate chain installed on the client and the server (including intermediate certificate).

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Muhammad Munir
Level 5
Level 5

‎03-05-2014 05:47 AM

Hi

ACS 5.4 supports user and machine authentication and change password against AD using EAP-FAST and PEAP with an inner method of MSCHAPv2 and EAP-GTC.

To run both EAP-TLS and PEAP at a same time, please go through the following link:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/admin_config.html#wp1201220

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎03-05-2014 06:49 AM

You cannot have multiple server/identity certificates on ACS for different EAP flavors. As a best practice get the third-party certificate and check to associate the certificate with EAP protocols that use SSL/TLS tunneling: EAP-TLS, EAP-FAST, and PEAP.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
naorelkayam
Level 1
Level 1
In response to Jatin Katyal

‎03-05-2014 07:32 AM

Hi Jatin,

Thanks for your answer, it helped.

Just a verification question:

I can purchase a TERENA/VERISIGN/ETC certificate, install it on the ACS and use it to authenticate EAP-TLS and PEAP users?  GREAT! this is exactly what I need!!

Can you please reffer me to a guide how to do so?

Thanks!

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to naorelkayam

‎03-05-2014 07:40 AM

that's correct. The same identity/server certificate can be used for both eap authentication methods.

EAP-TLS deployment with ACS 5.x

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml

PEAP with ACS 5.x

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112175-acs51-peap-deployment-00.html

Let us know if you have any further questions.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
naorelkayam
Level 1
Level 1
In response to Jatin Katyal

‎03-05-2014 07:48 AM

O.K, got it...

One more:

The EAP-TLS network is used with an MS Active Directory and uses a private CA to issue the certificates.

Can I use ACS with a public certificate to authenticate the users?

I thought that ACS must have a certificate fron the same certificate chain as the users. (issue a certificate for it from the local CA)

Thanks,

Naor.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to naorelkayam

‎03-05-2014 08:03 AM

yes you can use an external/public CA for EAP-TLS. Just make sure you have the complete certificate chain installed on the client and the server (including intermediate certificate).

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
naorelkayam
Level 1
Level 1
In response to Jatin Katyal

‎03-06-2014 05:04 AM

Hi,

How can I get the complete chain of an external real certificate? Like GlobalSign or Terena?

Is it possible to do so by myself?

Thanks,

Naor.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to naorelkayam

‎03-06-2014 05:13 PM

so when you generate a CSR and send to your certificate authority, they will provide you all set of certificates.

this site talk about different CA available and about their services

https://www.ssl247.com/ssl-certificates

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents