amigan_99
asked on
Cisco ACS 5.4: How to debug x.509 certificate authentication
Is there any way to debug certificate authentication on the Cisco ACS? I'm wanting to verify with certainty that one certificate is being used and not another when auth succeeds. But when I run the radius report I don't see any mention of the certificate itself altho it notes X.509 authentication was used. Thank you.
Also is there a way to debug certificate auth on a Windows 7/10 system? Or on Mac?
Also is there a way to debug certificate auth on a Windows 7/10 system? Or on Mac?
ASKER
Thank you for the reply. Our use case is users attaching to WiFi using EAP-TLS. The company changed from using the root CA from one department to another. So clients are with both certificates or one or none. Some people are having no problems attaching to the new SSID with EAP TLS and others are having problems. It would help if there was some way I could see logging that involved some details about the certificates that are being offered and accepted/matched.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The client connecting to WiFi requires a client cert issued from the same CA as the local cert installed on the Cisco ACS server.
Ok, does that means the system must be a member of the domain? Or the user has to request and obtain a computer certificate to be installed in the computer certificate store.
Does the computer certificate store have the ca issued certificate available in the personal folder?
What is your normal/defined process to authorize a system to connect?
Does the computer certificate store have the ca issued certificate available in the personal folder?
What is your normal/defined process to authorize a system to connect?
ASKER
Thank you much.
Your organization has an internal CA?
Try with a test user. Make sure their connection works, then suspend their certificate and see if they still are able to connect.
Look at the user certificate store (certicates.msc on Windows) look at the user's personal certificates.
Have you had a chance to look at Cisco.com VPN using certificates? Debugging?