Solved

Cisco ACS Secondary Servers: Certificate Implementation

Posted on 2016-10-10
2
57 Views
Last Modified: 2016-10-11
Is there any downside or up to  importing the local certificates from the primary as opposed to configuring the local certificates manually on the new secondaries?

"New local certificates—You can either configure the local certificates on the secondary servers or import the local certificates from the primary server."

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/installation/guide/csacs_book/csacs_deploy.html
0
Comment
Question by:amigan_99
2 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 41837990
I do not see this configuration as a HA but specific to the certificate requirements, the Certificates is the only thing that isn't sync'd between the primary and secondary systems, so make sure you have a certificate on the backup first regardless of the approach taken.

I view that either choice the ultimate objective is to make sure there is single source of trust in which the root CA and the trusted chain certificate bundle are updated into the two systems and server/client certificate can authenticated during the AAA as well as 802.1X with the issued CA certificate and bundle chain trust available.

As most of the time, the single trust reference is based on primary system amd for ease of oversight for operational works, it is preferable to import form single systems as compared to have managed the two different system certiifcate separately. The chance of misconfiguration will be lesser especially when managing different certificate that has different CA issuance and expiry dates etc.

Eventually, it is more of whether the resource to make sure the synchronisation and update of certificate in the two system can be timely regardless the approach taken. The importing may seems more appropriate but you may need to make sure the hostname can be matched to the system in case of machine authentication otherwise there can be error as the certificate subject name does not match the hostname.

Good to consult the support and OPS team views too dealing woth this PKI - There should be a single enterprise CA that both system can based on instead of generating self signed certificate.

Some discussion on backup in this user forum. See
https://supportforums.cisco.com/discussion/11755336/acs-primary-and-secondary-scenario
0
 
LVL 1

Author Closing Comment

by:amigan_99
ID: 41838822
Great info. Thank you.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question