Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1527
Views
0
Helpful
4
Replies

About PEAP, need to install certificates?

Go to solution
JustTakeTheFirstStep
Level 4
Level 4

‎02-05-2023 04:05 AM - edited ‎02-05-2023 04:07 AM

We are designing AP - WLC - ISE - AD SERVER.

We plan to use PEAP MSCHAP-V2.

I have a few questions.

1. Does the client need to set the wireless adapter's profile?
ex) 802.1X user or computer authentication, WPA2 ENTERPRISE

2. Do I need to install a CA certificate on ISE even if I use PEAP and not TLS? As far as I know, it connects without installing a certificate. What if I don't install it??

2-1. If I need to install a certificate, do I need to distribute the certificate from AD SERVER? Or do I need to install a public certificate? What's the difference between the two?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-05-2023 04:50 AM

@JustTakeTheFirstStep

1. Yes the supplicant on the wireless adapter needs to be configured for authentication and to use MSCHAPv2. Example.

2. Using PEAP/MSCHAPv2 only ISE needs an EAP certificate, this certitificate is validated by the client computers. Therefore the client devices should trust this certificate. Usually this EAP certificate on ISE is signed by an internal CA, but it could be signed by a public CA.

3. If the client computers are joined to AD and you have an internal CA that signs the EAP certificate used by ISE, then the client computers would already have the internal root CA certificate. If you used a public CA to sign the EAP certificate on ISE, and if you use one of the major CA then the client computers will likely already have this root CA certificate in their computer certificate store.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎02-05-2023 04:50 AM

@JustTakeTheFirstStep

1. Yes the supplicant on the wireless adapter needs to be configured for authentication and to use MSCHAPv2. Example.

2. Using PEAP/MSCHAPv2 only ISE needs an EAP certificate, this certitificate is validated by the client computers. Therefore the client devices should trust this certificate. Usually this EAP certificate on ISE is signed by an internal CA, but it could be signed by a public CA.

3. If the client computers are joined to AD and you have an internal CA that signs the EAP certificate used by ISE, then the client computers would already have the internal root CA certificate. If you used a public CA to sign the EAP certificate on ISE, and if you use one of the major CA then the client computers will likely already have this root CA certificate in their computer certificate store.

0 Helpful

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to Rob Ingram

‎02-05-2023 08:13 AM - edited ‎02-05-2023 08:40 AM

Do I need to install the certificate on the PC that connects wirelessly?
As far as I know, the PC can connect to the SSID without installing a certificate.

3Gw5H.jpg

I remember that I disabled "validate server certificate".
my memory may not be accurate

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to JustTakeTheFirstStep

‎02-05-2023 08:26 AM - edited ‎02-06-2023 01:29 AM

@JustTakeTheFirstStep the PCs should have the CA certificate installed, of the CA that issued the EAP certificate used by ISE.

You can get away with not trusting the certificate (untick "validate server certificate"), that would not be considered secure though.

 

0 Helpful

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to Rob Ingram

‎02-25-2023 08:15 AM

 

image_24.jpeg

I have completed a wireless deployment in my office and I am using MSCHAPv2 to connect to the wireless.

No warning messages popped up on the PC.

Neither the PC nor the ISE required a certificate to be installed.

Why do I need to install a certificate when there is no problem with not installing it?

0 Helpful
Customers Also Viewed These Support Documents