Cisco Cisco Aironet 350 Access Points 기술 매뉴얼
Click Next.
5.
Click Yes to the IIS message.
6.
Select a stand−alone (or Enterprise) root CA.
7.
Click Next.
8.
Name the CA.
Note: All the other boxes are optional.
Note: Do not use the same name for the CA as the ACS server, because this can cause the PEAP
clients to fail authentication. A root CA certificate with the same name as the server certificate
confuses the PEAP clients. This problem is not unique to Cisco clients. Of course, if you do not plan
to use PEAP, this does not apply.
clients to fail authentication. A root CA certificate with the same name as the server certificate
confuses the PEAP clients. This problem is not unique to Cisco clients. Of course, if you do not plan
to use PEAP, this does not apply.
9.
Click Next.
The database default is correct.
10.
Click Next.
IIS must be installed before you install the CA.
11.
Create a Server Certificate
Complete these steps:
Browse to the CA (http://IP_of_CA_server/certsrv/) from your ACS server.
1.
Check the Request a certificate box.
2.
Click Next.
3.
Select Advanced request.
4.
Click Next.
5.
Select Submit a certificate request to this CA using a form.
6.
Click Next.
7.
Type a name in the name (CN) box.
8.
Check the Server Authentication Certificate box for Intended Purpose.
Note: If you use the Enterprise CA, select Web Server on the first list.
9.
Select these options under Key Option to create a new template:
CSPMicrosoft Base Cryptographic Provider v1.0
♦
Key Size¡024
Note: Certificates created with a key size greater than 1024 can work for HTTPS but not for
PEAP.
PEAP.
Note: The Windows 2003 Enterprise CA allows key sizes greater than 1024, but a key larger
than 1024 does not work with PEAP. Authentication can appear to pass in ACS, but the client
just hangs at the authentication attempt.
than 1024 does not work with PEAP. Authentication can appear to pass in ACS, but the client
just hangs at the authentication attempt.
♦
Check the Mark Keys as Exportable option
Note: Microsoft has changed the Web Server template with the release of the Windows 2003
Enterprise CA. With this template change, you can no longer export keys, and the option is
greyed out. There are no other certificate templates supplied with certificate services that are
for server authentication, or that give the ability to mark keys as exportable. In order to create
a new template that does so, see the Create a New Certificate Template section.
Enterprise CA. With this template change, you can no longer export keys, and the option is
greyed out. There are no other certificate templates supplied with certificate services that are
for server authentication, or that give the ability to mark keys as exportable. In order to create
a new template that does so, see the Create a New Certificate Template section.
♦
Check the Use Local Machine Store option
♦
Note: Retain the default selections for all other options.
10.