12-11-2011 06:52 PM - edited 07-03-2021 09:12 PM
So first post, I usually figure most of this stuff out. I have this all working with latest firmware etc, but I have more of a MS IAS issue than anything.
The Peap cert used is one generated for my IAS controller, but I have two things... I'd like it to be highly available (if I shutdown Ias#1 it uses ias#2 and has a different certificate as its host name dependent). Also, if I can get a certificate for both IAS servers (using ms cert authority, trusted by all my comp's etc), I'd like it to be more than a one year cert.
Both IAS servers are DC's, so when creating a cert request from Mmc cert snapin for machine, it has the template domain controller and only uses the machine name. I need to make a 2-5 year cert generic for IAS.
Thanks for any help.
Sent from Cisco Technical Support iPad App
12-11-2011 07:31 PM
In order to increase the default 1 year certificate, you need to create a new certificate template on your CA. Here is an example of creating a new template by using the duplicate feature.
http://technet.microsoft.com/en-us/library/cc755043(v=ws.10).aspx
Sent from my iPhone
12-13-2011 06:24 AM
sure, I understand and have done that, but only am prompted to use domain controller cert template.
Any thoughts about my other (poorly phrased now that i look at it) question about having multiple IAS servers using the same certificate? Right now if I shut down the primary IAS server, clients aren't able to join as the cert they have is for the primary IAS server. They have to delete the network and readd to get the other servers cert.
Sent from Cisco Technical Support iPad App
12-13-2011 10:08 AM
There are two thing you could do.
1.) use a GPO to push the certificate from IAS#2 to all your clients.
2.) under the PEAP config, uncheck the validate server certificate box.
With PEAP, the supplicant doesn't 'need/have' to have the server cert, it's an option. When I'm testing, I alwasy uncheck this box. You could test if the clients will failover to the other IAS with the option unchecked.
As for the cert, are both of these devices a CA, or are you using as self genereated cert? If you have multiple IAS, you may want to promote a server to be a CA< and then issue both of these servers a cert from there. Then you only need to have your CA root on the client, instead of each IAS.
HTH,
Steve
----------------------------------------------------------------------------------------------------------
Please remember to rate helpful posts or to mark the question as answered so that it can be found later.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide