I'm working with a customer who wants to run PEAP using MS-CHAPv2. They are using the Windows XP supplicant.
With prior versions of ACS (3.x, 4.x), I generated a self-signed cert on the ACS server itself and imported it onto the Windows machine.
Is this concept still valid with ACS5.1? (My customer opened a TAC case and the engineer said that the Cert must be from a external certificate authority.)
I'm looking at a self-signed cert from an ACS 5.1 box and it meets the version, EKU and server authentication criteria set out in the
EAP-TLS Deployment Guide for Wireless LAN Networks
document under section 5.2.2. The server side cert is the same for both PEAP and EAP-TLS.
As long as the client isn't validating the server certificate, that should be fine. I don't have an XP client to test with or I'd say more definitively.
Network Management Systems Team
Thanks for your response, Rollin.
I could validate the self-signed cert if I exported it from the ACS and imported it into my Windows XP desktop. Correct? Thanks.
Yes, it's my understanding that's how it's supposed to work. In order to do validation, the client has to have something to validate against.