cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1278
Views
0
Helpful
3
Replies

Cisco 3750 with integrated WLC, wpa2 ent, 802.1x and ms IAS.

neal.alberda
Level 1
Level 1

So first post, I usually figure most of this stuff out. I have this all working with latest firmware etc, but I have more of a MS IAS issue than anything.

The Peap cert used is one generated for my IAS controller, but I have two things... I'd like it to be highly available (if I shutdown Ias#1 it uses ias#2 and has a different certificate as its host name dependent). Also, if I can get a certificate for both IAS servers (using ms cert authority, trusted by all my comp's etc), I'd like it to be more than a one year cert.

Both IAS servers are DC's, so when creating a cert request from Mmc cert snapin for machine, it has the template domain controller and only uses the machine name. I need to make a 2-5 year cert generic for IAS.

Thanks for any help.

Sent from Cisco Technical Support iPad App

3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

In order to increase the default 1 year certificate, you need to create a new certificate template on your CA. Here is an example of creating a new template by using the duplicate feature.

http://technet.microsoft.com/en-us/library/cc755043(v=ws.10).aspx

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

sure, I understand and have done that, but only am prompted to use domain controller cert template.

Any thoughts about my other (poorly phrased now that i look at it) question about having multiple IAS servers using the same certificate? Right now if I shut down the primary IAS server, clients aren't able to join as the cert they have is for the primary IAS server. They have to delete the network and readd to get the other servers cert.

Sent from Cisco Technical Support iPad App

There are two thing you could do.

1.) use a GPO to push the certificate from IAS#2 to all your clients.

2.) under the PEAP config, uncheck the validate server certificate box.

With PEAP, the supplicant doesn't 'need/have' to have the server cert, it's an option.  When I'm testing, I alwasy uncheck this box.  You could test if the clients will failover to the other IAS with the option unchecked.

As for the cert, are both of these devices a CA, or are you using as self genereated cert?  If you have multiple IAS, you may want to promote a server to be a CA< and then issue both of these servers a cert from there.  Then you only need to have your CA root on the client, instead of each IAS.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
Review Cisco Networking for a $25 gift card