Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2365
Views
0
Helpful
5
Replies

ACS Queries

Go to solution
ymadheka
Level 4
Level 4

‎02-26-2018 04:32 AM

Hi Team,

One of existing customers with ACS 5.7.0.15 has come up with queries as below:

Query 1. We use HTTPS for accessing Cisco ACS in our infrastructure which is running on version 5.7.0.15. The certificate which is being used, whether it is self-signed or third party. How we can use certificate from any external CA for accessing the same. Also current certificate is showing as expired, how do we renew the same. Screen-shot is as attached here.

Query 2. In our current configuration, we are using external identity source which is our active directory. Kindly let us know, authentication query between ACS and AD, whether this is encrypted or not. I believe it is an encrypted connection just wanted to confirm on the same with public facing documentation.

Query 3. We have to configure Shared Secret for adding any TACACS client in the ACS. Kindly let us know how this shared secret is stored within ACS, whether it is encrypted or clear text. I believe it is an encrypted just wanted to confirm on the same with public facing documentation.

Thanks in advance for any help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to ymadheka

‎03-22-2018 07:07 PM

Hi Yogesh,

Apologize for the delay.

The protocol between Router and ACS is either TACACS+ or RADIUS. WIth RADIUS you can use DTLS and TACACS+ protocol use draft 1.78.

-Krishnan

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ymadheka
Level 4
Level 4

‎02-28-2018 05:30 AM

Hi Team,

Request advise and help here.

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to ymadheka

‎02-28-2018 04:02 PM

Hi Yogesh.

Query 1: You need to generate certificate with FQDN and DNS name of ACSs and use this across.

If you have a primary server and multiple secondary server, make sure the CA certificate is installed in the root/trusted store in all ACS servers so that Primary to backup ACS communication happens. Please watch the video

LabMinutes# SEC0083 - Cisco ACS 5.4 Certificate Install - YouTube

Query 2 and Query 3,

We use secure hash to encrypt the protocol keys. There is no public facing document on this. I will reach out to the PM.

Did you talk to the customer of ACS EOL and migrate them to ISE? Long term this is the best bet.

Thanks

Krishnan

0 Helpful

Go to solution
ymadheka
Level 4
Level 4
In response to kthiruve

‎02-28-2018 07:04 PM

Thanks Krishnan for the revert. One more query as below:

We need to understand that whether the authentication query between networking devices (Router / Switch) and ACS, is  also encrypted or not.

Yes, the customer has already procured ISE and will be rolling out soon.

0 Helpful

Go to solution
ymadheka
Level 4
Level 4
In response to ymadheka

‎03-05-2018 09:58 AM

Hi Krishnan,

Regarding the above query is secure hash also used for the authentication query between networking devices (Router / Switch) and ACS.

Awaiting your inputs.

Thanks & Regards,

Yogesh Madhekar

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to ymadheka

‎03-22-2018 07:07 PM

Hi Yogesh,

Apologize for the delay.

The protocol between Router and ACS is either TACACS+ or RADIUS. WIth RADIUS you can use DTLS and TACACS+ protocol use draft 1.78.

-Krishnan

0 Helpful
Customers Also Viewed These Support Documents