Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
3
Replies

ACS 5.2 Self Signed Certificate no need for client

p.pegouret
Level 1
Level 1

‎07-19-2013 02:49 AM - edited ‎07-04-2021 12:28 AM

Hello,

Our ACS (5.2) has self signed certificate, but i don' t need to  export it in the customers. They connect without certificat . Is this normal.

customers also work with certificate.

I have ACS 5.2

WLC 7.0

and AD

Thanks for your help

regards

Labels:
0 Helpful
3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

‎07-19-2013 04:43 AM

If you're using PEAP MSCHAPv2 for wireless authentication with ACS configured for self-signed certificate. The users can connect without certificate because they are not validating the server certificate. This is normal but not a secure method. If you want them to validate the server certificate. If you have two options:

1.] Export the self signed certificate from ACS and install it on all the clients.

2.] Get the third-party CA certificates and install the root cert on all the clients.

In both the options, you've to check validate server certificate option on the client under Wirless 802.1x properties.

I'm providing few configuration examples for the same. You may go through it to have better understanding.

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

p.pegouret
Level 1
Level 1
In response to Jatin Katyal

‎07-19-2013 05:56 AM

It"s OK,

but if someone come with it's own computer, he can connect to wireless, if he know a login/password.

I thought the certificate would be to install an additional security.

Thank you for you request, and sorry for my poor english.

Regards

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to p.pegouret

‎07-19-2013 07:57 AM

In order to prevent that you've 2 options

1.] Enable Peap with MAR- Machine access restriction (Machine and user authentication)

2.] Enable EAP-TLS where everyone should have unique user certificate.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card