Appendix B Authentication in ACS 5.3

EAP-TLS

Importing the ACS Server Certificate

When you manually import and ACS server certificate you must supply the certificate file, the private key file, and the private key password used to decrypt the PKCS#12 private key. The certificate along with its private-key and private-key-password, is added to the Local Certificate store. For non-encrypted private-keys, the user supplied password may be ignored.

ACS supports PEM or DER formatted X509 certificate files. ACS verifies that an imported certificate complies with a the X509 format and does not perform any hierarchical certificate signature verification.

When importing a certificate, you can configure the certificate for protocol that require an ACS server certificate, such as TLS related EAP protocols and HTTPS Management protocol.

Note Only EAP and HTTPS Management protocols can be configured in ACS 5.3 for certificate-based authentication.

The input password and private-key, which are cryptographically sensitive information, are passed over the HTTPS channel. Using HTTPS with a non-authenticated server, for example, a self-signed certificate for HTTPS server authentication, is not a secure method of passing this sensitive information.

Importing Trust Certificates, page B-9

Initial Self-Signed Certificate Generation, page B-10

Certificate Generation, page B-10

Initial Self-Signed Certificate Generation

An automatically generated, self-signed certificate is placed in the Local Certificate store for each ACS server. This certificate is used to identify ACS for TLS-related EAP protocols and for HTTPS Management protocols.

The self-signed certificate is generated with the CN equal to the machine’s hostname, as required for HTTPS certificates, and is generated when ACS is installed.

Certificate Generation

You can generate ACS server certificates through the Web interface. The output of this process is a certificate or a certificate request and it’s corresponding private-key and password. The generated private-key is structured as PKCS#12 encrypted, by using a relatively strong automatically generated password based on at least 128 bit of randomness.

You can select any of these generated private-key lengths: 512, 1024, 2048 or 4096 bit. The certificate digest algorithm used by the ACS is SHA1 and SHA2 256-bit.

Note You should install Windows XP SP3 to use SHA2 256-bit certificates as management certificates.

You an generate ACS server certificates through the Web interface. The output of this process is a certificate or a certificate request and it’s corresponding private-key and password. The generated private-key is structured as PKCS#12 encrypted, by using a relatively strong automatically generated password based on at least 128 bit of randomness.

You can select any of these generated private-key lengths: 512, 1024, 2048 or 4096 bit. The certificate digest algorithm used by the ACS is SHA1 and SHA2 256-bit.

 

User Guide for Cisco Secure Access Control System 5.3

B-10

OL-24201-01

Page 590
Image 590
Cisco Systems OL-24201-01 manual Importing the ACS Server Certificate, Initial Self-Signed Certificate Generation