02-05-2023 04:05 AM - edited 02-05-2023 04:07 AM
We are designing AP - WLC - ISE - AD SERVER.
We plan to use PEAP MSCHAP-V2.
I have a few questions.
1. Does the client need to set the wireless adapter's profile?
ex) 802.1X user or computer authentication, WPA2 ENTERPRISE
2. Do I need to install a CA certificate on ISE even if I use PEAP and not TLS? As far as I know, it connects without installing a certificate. What if I don't install it??
2-1. If I need to install a certificate, do I need to distribute the certificate from AD SERVER? Or do I need to install a public certificate? What's the difference between the two?
Solved! Go to Solution.
02-05-2023 04:50 AM
1. Yes the supplicant on the wireless adapter needs to be configured for authentication and to use MSCHAPv2. Example.
2. Using PEAP/MSCHAPv2 only ISE needs an EAP certificate, this certitificate is validated by the client computers. Therefore the client devices should trust this certificate. Usually this EAP certificate on ISE is signed by an internal CA, but it could be signed by a public CA.
3. If the client computers are joined to AD and you have an internal CA that signs the EAP certificate used by ISE, then the client computers would already have the internal root CA certificate. If you used a public CA to sign the EAP certificate on ISE, and if you use one of the major CA then the client computers will likely already have this root CA certificate in their computer certificate store.
02-05-2023 04:50 AM
1. Yes the supplicant on the wireless adapter needs to be configured for authentication and to use MSCHAPv2. Example.
2. Using PEAP/MSCHAPv2 only ISE needs an EAP certificate, this certitificate is validated by the client computers. Therefore the client devices should trust this certificate. Usually this EAP certificate on ISE is signed by an internal CA, but it could be signed by a public CA.
3. If the client computers are joined to AD and you have an internal CA that signs the EAP certificate used by ISE, then the client computers would already have the internal root CA certificate. If you used a public CA to sign the EAP certificate on ISE, and if you use one of the major CA then the client computers will likely already have this root CA certificate in their computer certificate store.
02-05-2023 08:13 AM - edited 02-05-2023 08:40 AM
Do I need to install the certificate on the PC that connects wirelessly?
As far as I know, the PC can connect to the SSID without installing a certificate.
I remember that I disabled "validate server certificate".
my memory may not be accurate
02-05-2023 08:26 AM - edited 02-06-2023 01:29 AM
@JustTakeTheFirstStep the PCs should have the CA certificate installed, of the CA that issued the EAP certificate used by ISE.
You can get away with not trusting the certificate (untick "validate server certificate"), that would not be considered secure though.
02-25-2023 08:15 AM
I have completed a wireless deployment in my office and I am using MSCHAPv2 to connect to the wireless.
No warning messages popped up on the PC.
Neither the PC nor the ISE required a certificate to be installed.
Why do I need to install a certificate when there is no problem with not installing it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide