Solved

Cisco ACS Secondary Servers: Certificate Implementation

Posted on 2016-10-10
2
50 Views
Last Modified: 2016-10-11
Is there any downside or up to  importing the local certificates from the primary as opposed to configuring the local certificates manually on the new secondaries?

"New local certificates—You can either configure the local certificates on the secondary servers or import the local certificates from the primary server."

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/installation/guide/csacs_book/csacs_deploy.html
0
Comment
Question by:amigan_99
2 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 41837990
I do not see this configuration as a HA but specific to the certificate requirements, the Certificates is the only thing that isn't sync'd between the primary and secondary systems, so make sure you have a certificate on the backup first regardless of the approach taken.

I view that either choice the ultimate objective is to make sure there is single source of trust in which the root CA and the trusted chain certificate bundle are updated into the two systems and server/client certificate can authenticated during the AAA as well as 802.1X with the issued CA certificate and bundle chain trust available.

As most of the time, the single trust reference is based on primary system amd for ease of oversight for operational works, it is preferable to import form single systems as compared to have managed the two different system certiifcate separately. The chance of misconfiguration will be lesser especially when managing different certificate that has different CA issuance and expiry dates etc.

Eventually, it is more of whether the resource to make sure the synchronisation and update of certificate in the two system can be timely regardless the approach taken. The importing may seems more appropriate but you may need to make sure the hostname can be matched to the system in case of machine authentication otherwise there can be error as the certificate subject name does not match the hostname.

Good to consult the support and OPS team views too dealing woth this PKI - There should be a single enterprise CA that both system can based on instead of generating self signed certificate.

Some discussion on backup in this user forum. See
https://supportforums.cisco.com/discussion/11755336/acs-primary-and-secondary-scenario
0
 
LVL 1

Author Closing Comment

by:amigan_99
ID: 41838822
Great info. Thank you.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now