05-14-2007 09:52 AM - edited 03-10-2019 03:09 PM
Hi,
I'm implementing ACS 4.0 to provide PEAP Security on a customers WLAN. I'd like to use the Self signed certificate feature within ACS, because it's easy to use and I don't want to 'play' with the customers Servers to install CA unless I really have to (deniability!!).
My question is, how do I get the XP Clients to trust the certificate installed on the ACS when the 'Authenticate Server' option is enabled on the PEAP client?
Due to the range of client adapters on the network and the only common factor being that they all run XP SP2, I plan to use the 'wireless zero configuration' option on those clients.
I presume I have to tick the relevent CA box on the Client trust list, but how do I get the cert to appear in that trust list?
Regards all,
Dan
05-14-2007 11:34 AM
Dan,
When using peap there is no need to have client trust (server)acs certificate.
On XP, please do not enable" Validate server certificate"
Regards,
05-15-2007 01:36 AM
Thanks for your reply,
I need to validate the server certificate to strengthen against 'man in the middle' attacks. But I'm struggling to figure out how to trust the SSC from the ACS.
There must be a way of adding that CA to the Clients Certificate Trust List?
This network will be the subject of a Pen test when it's finished and I need to make it as secure as possible.
I Know EAP-TLS is stronger, but Certificates on all the clients is too cumbersome to manage. (Customers point of view).
At least using this method (if implemented properly), The customer only has to maintain the Server cert every year.
Regards,
Dan
05-15-2007 12:32 PM
This is the price you pay for dealing with self-signed certs. There's no guarantee they'll be trusted. Self-signed certs are not typcially recommended for a production deployment.
Hope this helps,
05-28-2007 12:52 AM
Hi Dan,
You need to copy out the root certificate and install on the client. You should have a copy when you generate the self-signed cert on the ACS. Two ways to install the cert on the client. You could copy the cert on the thumb drive and install manually on all the machines or use auto-enrollment on the GPO.
Cheers,
Phoon
05-28-2007 01:21 AM
Thanks Phoon,
I'd just kind of reached the same conclusion, Can you use USB thumb drives on the MCS appliance?
Good idea with the GPO. I think that's the best way to go, should save hours of work going round the clients manually. I was planning to use this method for configuring the client wireless settings also.
There's a good article on Tech Republic about this (ignore the slagging that ACS gets!), Just do a search for 'Configure PEAP Cisco'.
I'll let you know how I get on and rate accordingly.
Thanks for you're help.
Dan
05-28-2007 06:24 AM
Hi Dan,
If your box doesn't support USB, I'm sure you can copy out the cert using other methods. I'm not familiar with MCS appliance but I'd think it should be the same. As far as the interface is concern.
Good luck!
Cheers,
Phoon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide