With EAP-PEAP authentication

fatalXerror · ‎05-14-2017

Hi Guys,

Good Day!

Just want to ask this.

I have 1 ACS1 in client A and 1 ACS2 in client B running via PEAP with certificate validation with different domain. These 2 ACS are independent from each other and they want to extend their authentication from client A to client B and vice versa using a single SSID.

Now, I want to know in terms of certificate validation process of PEAP, do I need to import the ACS1 certificate to the trusted certificate store of the endpoints of client B and the ACS2 certificate to the trusted certificate store of the endpoints of client A so that they can authenticate from each other?

ACS1 Server Cert = Trusted Cert of client B

ACS2 Server Cert = Trusted Cert of client A

Thanks for the feedback.

Arne Bier · ‎05-16-2017

With EAP-PEAP authentication method the TLS connection build-up may contain a check on the client side that validates whether the Radius Server is trusted. Radius server does not care about the clients that connect to it!!!

Therefore:

on your client A you need to install ACS1 and ACS2 Root (and any other intermediary issuing certificate chain). This has to be the entire chain of CA's (from Root, down to the CA that issued the ACS cert)

on your client B you need to install ACS1 and ACS2 Root (and any other intermediary issuing certificate chain). This has to be the entire chain of CA's (from Root, down to the CA that issued the ACS cert)

NB: you don't install the ACS server cert on the clients - only the CA certs that generated the ACS server cert.

If the clients are Windows, then you would install the CA certificate chain under Trusted Authorities.

Also, just as a workaround/test you can configure your clients to ignore the Server Validation (under the 802.1x supplicant settings)

PEAP with Certificate Validation