Improve company productivity with a Business Account.Sign Up

x
?
Solved

Cisco ACS Secondary Servers: Certificate Implementation

Posted on 2016-10-10
2
Medium Priority
?
159 Views
Last Modified: 2016-10-11
Is there any downside or up to  importing the local certificates from the primary as opposed to configuring the local certificates manually on the new secondaries?

"New local certificates—You can either configure the local certificates on the secondary servers or import the local certificates from the primary server."

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/installation/guide/csacs_book/csacs_deploy.html
0
Comment
Question by:amigan_99
2 Comments
 
LVL 66

Accepted Solution

by:
btan earned 2000 total points
ID: 41837990
I do not see this configuration as a HA but specific to the certificate requirements, the Certificates is the only thing that isn't sync'd between the primary and secondary systems, so make sure you have a certificate on the backup first regardless of the approach taken.

I view that either choice the ultimate objective is to make sure there is single source of trust in which the root CA and the trusted chain certificate bundle are updated into the two systems and server/client certificate can authenticated during the AAA as well as 802.1X with the issued CA certificate and bundle chain trust available.

As most of the time, the single trust reference is based on primary system amd for ease of oversight for operational works, it is preferable to import form single systems as compared to have managed the two different system certiifcate separately. The chance of misconfiguration will be lesser especially when managing different certificate that has different CA issuance and expiry dates etc.

Eventually, it is more of whether the resource to make sure the synchronisation and update of certificate in the two system can be timely regardless the approach taken. The importing may seems more appropriate but you may need to make sure the hostname can be matched to the system in case of machine authentication otherwise there can be error as the certificate subject name does not match the hostname.

Good to consult the support and OPS team views too dealing woth this PKI - There should be a single enterprise CA that both system can based on instead of generating self signed certificate.

Some discussion on backup in this user forum. See
https://supportforums.cisco.com/discussion/11755336/acs-primary-and-secondary-scenario
0
 
LVL 1

Author Closing Comment

by:amigan_99
ID: 41838822
Great info. Thank you.
0

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Just after setting up Cloud PBX connectivity and migrated Skype users to SFBO, we noticed inbound calls not working but outbound calls would work.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

584 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question