[c-nsp] Cisco ACS Release 3.2(3) Build 11

John Gitau JGitau at Safaricom.co.ke
Tue Sep 27 05:39:05 EDT 2005


Okay Im stuck here:

I have been recently been checking on ways of deploying Identity Based
Networking Services using a CiscoSecure ACS 3.2(3) for a wired LAN.
Everything was going very well untill I introduced a backend database
for it to pick the users from. The backend just happens to be microsoft
active directory.

My main problem right now is I have not managed to get a certificate to
work on the ACS at all ie I can't install a certificate on the ACS. I've
followed the procedure listed here:
<http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_gui
de_chapter09186a008023361c.html#wp97987> to the letter. I even get the
message telling me that all went well and it has been installed, but for
some reason every time I enable "Allow EAP-MSCHAPv2", or anything that
requires to use the said certificate, I get the error "Failed to
initialize PEAP or EAP-TLS authentication protocol because ACS
certificate is not installed.". I am uploading the certificates in
DER-encoded binary X.509 v3 format. The private key has a .key
extension. 
Ie :
Certificate file is XXXXXXXXXXXxx.cer
Private key file is XXXXXXXXXXXxx.key

!* I have tried other extensions but I get errors like unknown format
for *.pem and *.pvk

So my question is: Is there a specific way or format to upload this
certificates to the ACS? Does anyone have any pointers in the right
direction for deploying 802.1x authentication using a CiscoSecureACS
solution with Windows AD as the backend "database". 

**Gitau

+254 724 988 226
........................................................................
. 
"If the entire earth, land and water, were covered with computers, 
IPv6 would allow 7x10^23 IP addresses per square meter.  [...]  While it
was not the intention to give every molecule on the surface of the earth
its own IP address, we are not that far off."
	.. Tannenbaum, .Computer.Networks., 3rd Edition
........................................................................
.



More information about the cisco-nsp mailing list