https://community.cisco.com/t5/network-access-control/peap-with-certificate-validation/m-p/3007265#M22856 <P>Hi Guys,</P> <P>Good Day!</P> <P>Just want to ask this.</P> <P>I have 1 ACS1 in client A and 1 ACS2 in client B running via PEAP with certificate validation with different domain. These 2 ACS are independent from each other and they want to extend their authentication from client A to client B and vice versa using a single SSID.</P> <P>Now, I want to know in terms of certificate validation process of PEAP, do I need to import the ACS1 certificate to the trusted certificate store of the endpoints of client B and the ACS2 certificate to the trusted certificate store of the endpoints of client A so that they can authenticate from each other?</P> <P>ACS1 Server Cert = Trusted Cert of client B</P> <P>ACS2 Server Cert = Trusted Cert of client A</P> <P>Thanks for the feedback.</P> <P></P> Mon, 11 Mar 2019 07:42:54 GMT fatalXerror 2019-03-11T07:42:54Z https://community.cisco.com/t5/network-access-control/peap-with-certificate-validation/m-p/3007265#M22856 <P>Hi Guys,</P> <P>Good Day!</P> <P>Just want to ask this.</P> <P>I have 1 ACS1 in client A and 1 ACS2 in client B running via PEAP with certificate validation with different domain. These 2 ACS are independent from each other and they want to extend their authentication from client A to client B and vice versa using a single SSID.</P> <P>Now, I want to know in terms of certificate validation process of PEAP, do I need to import the ACS1 certificate to the trusted certificate store of the endpoints of client B and the ACS2 certificate to the trusted certificate store of the endpoints of client A so that they can authenticate from each other?</P> <P>ACS1 Server Cert = Trusted Cert of client B</P> <P>ACS2 Server Cert = Trusted Cert of client A</P> <P>Thanks for the feedback.</P> <P></P> Mon, 11 Mar 2019 07:42:54 GMT https://community.cisco.com/t5/network-access-control/peap-with-certificate-validation/m-p/3007265#M22856 fatalXerror 2019-03-11T07:42:54Z https://community.cisco.com/t5/network-access-control/peap-with-certificate-validation/m-p/3007266#M22858 <P>With EAP-PEAP authentication method the TLS connection build-up <EM>may</EM> contain a check on the client side that validates whether the <STRONG>Radius Server</STRONG> is trusted.&nbsp; Radius server does <STRONG>not care</STRONG> about the clients that connect to it!!!</P> <P>Therefore:</P> <P>on your client A you need to install ACS1 and ACS2 Root (and any other intermediary issuing certificate chain).&nbsp; This has to be the entire chain of CA's (from Root, down to the CA that issued the ACS cert)</P> <P>on your client&nbsp;B you need to install ACS1 and ACS2 Root (and any other intermediary issuing certificate chain).&nbsp; This has to be the entire chain of CA's (from Root, down to the CA that issued the ACS cert)</P> <P></P> <P>NB: you don't install the ACS server cert on the clients - only the CA certs that generated the ACS server cert.</P> <P></P> <P>If the clients are Windows, then you would install the CA certificate chain under Trusted Authorities.</P> <P>Also, just as a workaround/test you can configure your clients to ignore the Server Validation (under the 802.1x supplicant settings)</P> Wed, 17 May 2017 01:37:08 GMT https://community.cisco.com/t5/network-access-control/peap-with-certificate-validation/m-p/3007266#M22858 Arne Bier 2017-05-17T01:37:08Z