06-19-2013 08:10 AM - edited 07-04-2021 12:15 AM
Hello
We have a wireless network which is secured with WPA2-Enterprise with PEAP and MS-CHAPv2. The Radius servers (Windows Server 2008r2 with the Radius Feature installed) currently use a public signed certificate. This is about to expire soon and will need to be renewed.
The clients are non-managed and from all variety (OS, wifi-software, ...).
The Wifi is 4400 controller based and managed with the new Prime Infrastructure 1.3.
What is the best way to do the renewal with as little disturbance for the client as possible? The less manual interaction for the end user the better.
Thanks
Patrick
Solved! Go to Solution.
06-19-2013 02:24 PM
Abhishek,
What are you talking about here. Your recommendations have nothing to do with what the OP is asking? Please explain....
Sent from Cisco Technical Support iPhone App
06-19-2013 08:14 AM
not PEAP, EAP-TLS ?
06-19-2013 08:16 AM
No, it is PEAP. They authenticate with userame+password.
06-19-2013 08:16 AM
Just upload the new cert to the radius server and point the policy to use that new certificate. Maybe perform this in the evening.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
06-19-2013 08:19 AM
I wonder if the user will get a promt to confirm this. The radius server won't change though.
I sadly can't really test this
06-19-2013 08:20 AM
If you are validating the server certificate but you still are using the same root ca, then you are fine.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
06-19-2013 02:16 PM
Hello Patrick,
As per your query i can suggest you the following steps-
Since the root CA is the most critical CA in the hierarchy, you may prefer to have a strategy here that reduces the need to renew the root certificate often.
The first consideration is choosing the key length of the root's public key and private key pair during setup of the root authority. By using a long key length, which is generally more secure against brute force attack than a shorter key length, you increase the length of time that the CA can use the same private key and have reasonable confidence that it has not been compromised. The second consideration is establishing the validity period of the root certificate itself. In general, you will want to create a root certificate that has a shorter validity period than the estimated lifetime of the key.
For more information you can refer to the link-
http://technet.microsoft.com/en-us/library/cc740209(v=ws.10).aspx
Hope this will help you.
06-19-2013 02:24 PM
Abhishek,
What are you talking about here. Your recommendations have nothing to do with what the OP is asking? Please explain....
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide