Cisco ACS Secondary Servers: Certificate Implementation

Is there any downside or up to  importing the local certificates from the primary as opposed to configuring the local certificates manually on the new secondaries?

"New local certificates—You can either configure the local certificates on the secondary servers or import the local certificates from the primary server."

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/installation/guide/csacs_book/csacs_deploy.html
LVL 1
amigan_99Network EngineerAsked:
Who is Participating?
 
btanExec ConsultantCommented:
I do not see this configuration as a HA but specific to the certificate requirements, the Certificates is the only thing that isn't sync'd between the primary and secondary systems, so make sure you have a certificate on the backup first regardless of the approach taken.

I view that either choice the ultimate objective is to make sure there is single source of trust in which the root CA and the trusted chain certificate bundle are updated into the two systems and server/client certificate can authenticated during the AAA as well as 802.1X with the issued CA certificate and bundle chain trust available.

As most of the time, the single trust reference is based on primary system amd for ease of oversight for operational works, it is preferable to import form single systems as compared to have managed the two different system certiifcate separately. The chance of misconfiguration will be lesser especially when managing different certificate that has different CA issuance and expiry dates etc.

Eventually, it is more of whether the resource to make sure the synchronisation and update of certificate in the two system can be timely regardless the approach taken. The importing may seems more appropriate but you may need to make sure the hostname can be matched to the system in case of machine authentication otherwise there can be error as the certificate subject name does not match the hostname.

Good to consult the support and OPS team views too dealing woth this PKI - There should be a single enterprise CA that both system can based on instead of generating self signed certificate.

Some discussion on backup in this user forum. See
https://supportforums.cisco.com/discussion/11755336/acs-primary-and-secondary-scenario
0
 
amigan_99Network EngineerAuthor Commented:
Great info. Thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.