01-28-2013 09:27 AM - edited 07-03-2021 11:26 PM
In order to authenticate wireless users with EAP-TLS or PEAP-MSCHAPv2, what should I select the key length and digest to sign with? 2048 and SHA256 combination should work?
Solved! Go to Solution.
01-28-2013 10:14 AM
My devices have to trust the root CA... the radius only cares about a valid certificate for it to use.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-28-2013 09:36 AM
I've only used Key Length=2048, Digest=SHA1, but you can always give that a try. It should work with Windows 7 . I know that with XP you needed SP3 to use SHA256.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-28-2013 09:46 AM
Scott,
Thanks for the reply. Do I need to install the Intermediate CA certs along with the Root CA into "Certificate Authorities" in ACS 5.3?
01-28-2013 09:52 AM
You just need to bind the certificate when you get it.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/admin_config.html#wp1070939
Sent from Cisco Technical Support iPhone App
01-28-2013 09:57 AM
How about the Root CA and any Intermediate CAs in the certification path? Don't I need to import these into the Certificate Authorities as well?
01-28-2013 10:02 AM
I'm ACS 4.2 you had to, I don't recall on ACS 5.x. You services need to have that though. I would have to look at my lab ACS. It won't hurt trying it first to see if it works or not.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase.html#wp1052021
Sent from Cisco Technical Support iPhone App
01-28-2013 10:08 AM
All Ihave in my lab ACS is a windows certificate from my domain CA 2048 SHA1.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-28-2013 10:13 AM
You didn't have to install your Root CA cert in Certificate Authorities and it authenticates wireless users using EAP-TLS authentication?
01-28-2013 10:14 AM
My devices have to trust the root CA... the radius only cares about a valid certificate for it to use.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
01-28-2013 10:17 AM
Thank you. Makes sense.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide