Thanks Rob for the Welcome to PKI reply to "Is it true that

From: johngibson1541@yahoo.com
Date: Fri Dec 15 2006 - 03:34:31 ART

• Next message: johngibson1541@yahoo.com: "Re: RE: 3550 can't serve DHCP unless the vlan has SVI ip"
• Previous message: johngibson1541@yahoo.com: "Thanks bob for the Welcome to PKI reply"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I knew you can derive certificates from a certificate.

So, for mutual authentication,

- 1 root certificate everywhere you administrate, so that laptop or ACS
  doesn't have to have IP connection to the root certifier to verify a
  certificate before it has IP connection , or does any one practice
  looking up the root on demand ? Doesn't matter now.

- 1 certificate derived from root certificate to identify ACS, stored in ACS,
  sent to laptop to show this is the ACS touched by the common root certificate

- 1 certificate to identify laptop, stores and works the other way around.

Finally, everything starts to make sense now. I hope I can sleep better.

John

----------------------------------------------------------------------

Welcome to PKI.

ok, lets start at the beginning. I am assuming you have setup a
Certificate Authority(CA). This could be any box, including the same
machine that is running ACS. The CA has a public cert that needs to be
installed on EVERY machine (put into the trusted root CA store) on
every
machine that is going to use a cert that was generated by your CA.
This
cert is the same on every machine it is installed on. Now, that allows
your machine to trust machines (certificates) that were signed by that
CA.

For you to authenticate to ACS, you need a cert that identifies you.
So you go to the CA and generate a Certificate signing request and the
CA generates you a Cert. That cert is unique to you and it is what
your box uses to identify you. That cert only gets installed on your
machine. In addition, if you want to do machine authentication, you
need to generate a cert for your machine as well.

In addition, ACS needs a cert and it needs your CA's public cert
installed in its machines trusted root CA store. This allows ACS to
authenticate the certs from the client that were assigned by your CA.

If you need more help, let me know. The most important thing is you
need to make sure you install the certs in the machines trusted store,
not your user accounts trusted store.

HTH

-Rob

> -------- Original Message --------
> Subject: Is it true that dot1x laptop's certificate is identical to
> ACS's certificate
> From: johngibson1541@yahoo.com
> Date: Thu, December 14, 2006 1:12 pm
> To: ccielab@groupstudy.com
>
> Appreciate any help.
>
> I am very demanding and start to sound like a school girl I know.
Someone helped me about ACS. I need more help.
>
> John

• Next message: johngibson1541@yahoo.com: "Re: RE: 3550 can't serve DHCP unless the vlan has SVI ip"
• Previous message: johngibson1541@yahoo.com: "Thanks bob for the Welcome to PKI reply"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:38 ART