Solved

Cisco ACS Secondary Servers: Certificate Implementation

Posted on 2016-10-10
2
42 Views
Last Modified: 2016-10-11
Is there any downside or up to  importing the local certificates from the primary as opposed to configuring the local certificates manually on the new secondaries?

"New local certificates—You can either configure the local certificates on the secondary servers or import the local certificates from the primary server."

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/installation/guide/csacs_book/csacs_deploy.html
0
Comment
Question by:amigan_99
2 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
I do not see this configuration as a HA but specific to the certificate requirements, the Certificates is the only thing that isn't sync'd between the primary and secondary systems, so make sure you have a certificate on the backup first regardless of the approach taken.

I view that either choice the ultimate objective is to make sure there is single source of trust in which the root CA and the trusted chain certificate bundle are updated into the two systems and server/client certificate can authenticated during the AAA as well as 802.1X with the issued CA certificate and bundle chain trust available.

As most of the time, the single trust reference is based on primary system amd for ease of oversight for operational works, it is preferable to import form single systems as compared to have managed the two different system certiifcate separately. The chance of misconfiguration will be lesser especially when managing different certificate that has different CA issuance and expiry dates etc.

Eventually, it is more of whether the resource to make sure the synchronisation and update of certificate in the two system can be timely regardless the approach taken. The importing may seems more appropriate but you may need to make sure the hostname can be matched to the system in case of machine authentication otherwise there can be error as the certificate subject name does not match the hostname.

Good to consult the support and OPS team views too dealing woth this PKI - There should be a single enterprise CA that both system can based on instead of generating self signed certificate.

Some discussion on backup in this user forum. See
https://supportforums.cisco.com/discussion/11755336/acs-primary-and-secondary-scenario
0
 
LVL 1

Author Closing Comment

by:amigan_99
Comment Utility
Great info. Thank you.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now