Table of Contents
Advertisement
Note: The following section is an excerpt from the Administrator Guide for
Cisco Trust Agent 2.0, which is available at (requires CCO login):
http://www.cisco.com/en/US/partner/products/ps5923/products_maintenance_
guide_book09186a008059a40e.html
For Cisco Secure ACS to establish a secure PEAP session with Cisco Trust
Agent, you must install the root certificate for the Cisco Secure ACS certificate
on the network client. This certificate is either the CA certificate that is used to
validate the server certificate, or a self-signed certificate generated by the
Cisco Secure ACS server. Cisco Trust Agent supports PEM wrapped Base-64
or DER encoded binary X.509 certificates.
The installation of the certificate that is required for secure communication with
the Cisco Secure ACS can be performed during the installation of the Cisco Trust
Agent or later using the ctaCert.exe utility.
To have the certificate installed during the Cisco Trust Agent setup, create a
Certs directory in the directory where the setup executable is located and put the
certificate file into this directory (Figure 6-61). The certificate is picked up
automatically by the setup process.
Figure 6-61 Certs directory with CTA
Which certificate to use depends on the Cisco Secure ACS infrastructure in the
network. If the Cisco Secure ACS is using Certificate Authority (CA) signed
certificates, you have to use the root CA certificate. If the Cisco Secure ACS is
using a self-signed certificate, you have to extract and use this certificate.
Important: If there is more than one Cisco Secure ACS in the environment, all
of the respective certificates should be installed along with the Cisco Trust
Agent.
The procedure of extracting the Cisco Secure ACS certificate is described in
7.1.1, "Configuring the Cisco Secure ACS for NAC L2 802.1x" on page 214.
Chapter 6. Compliance subsystem implementation
191
Advertisement
Table of Contents
