Solved: Confusion with PEAP certificate requirements

jeff6strings · ‎12-16-2011

We have a 5508 and two WiSM wireless controllers along with WCS all running the latest version of software; we have ACS 4.0 but we are looking to bypass this option at this time. Our goal is to create an SSID using WPA2 Enterprise, PEAP and Windows 2008 R2 server with NPS (as a member server in the domain) for authentication to our Windows domain; a group will be used to authenticate users using a username and password. Wireless client devices range from Windows XP, 7, Apple laptops, iPad, iPhones and Android phones.

In studying all the documentation, community posts and articles on the Internet I’m confused with the requirements for PEAP in our environment as I keep reading that a client side certificate is used and in some cases it’s not. I think certs may be a problem with our mixed client environment but I’m not 100% sure. I greatly appreciate and input.

Thanks,

Jeff

Stephen Rodriguez · ‎12-16-2011

Jeff,

Per the PEAP standard, the NPS needs a certificate, that says it is allowed to authenticate the users. You can either purchase this, or if you have your own PKI, issue a certificate from your CA.

The client, doesn't need to have the certificate. With PEAP, it is optional for the client to validate the certificate.

The easiest deployment, is to just put the cert on the NPS, and tell the client not to validate the server. Which is how I always test. That way I can determine if the problem is AAA or PKI related.

So on a PC, you have an option to select if you want to validate the certificate or not. With OS X, if you have the cert there, it will reach out and pull the cert.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Scott Fella · ‎12-19-2011

To add to everyone's post:) you can install a 3rd party to the wlc for webauth and management to get rid of the certificate error. You can also use a certificate if you use local EAP for 802.1x.

For 802.1x (PEAP) using a radius you just need a certificate on the radius server no matter what radius server you use.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Stephen Rodriguez · ‎12-16-2011

Jeff,

Per the PEAP standard, the NPS needs a certificate, that says it is allowed to authenticate the users. You can either purchase this, or if you have your own PKI, issue a certificate from your CA.

The client, doesn't need to have the certificate. With PEAP, it is optional for the client to validate the certificate.

The easiest deployment, is to just put the cert on the NPS, and tell the client not to validate the server. Which is how I always test. That way I can determine if the problem is AAA or PKI related.

So on a PC, you have an option to select if you want to validate the certificate or not. With OS X, if you have the cert there, it will reach out and pull the cert.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

jeff6strings · ‎12-19-2011

Steve,

Thanks for the reply. Does the certificate need to be in the wireless LAN controllers too?

Jeff

George Stefanick · ‎12-19-2011

Hi Jeff,

Ill piggy back in here ... I havent seen Steve on the forums today ...

The EAP conversaion is always between the radius server and the wifi client. The WLC acts as a passthrough.The PEAP cert is installed on the radius server. It is sent from the radius server to the wifi client to create a TLS tunnel.

Make sense?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

jeff6strings · ‎12-19-2011

George,

Thanks for the reply as it helps. I've read tech docs showing the cert installed on the WLC even if there is an IAS or NPS server involved. I'm going to begin the setup of all this tomorrow and if I have any questions or updates I'll post them.

Thanks again,

Jeff

Scott Fella · ‎12-19-2011

To add to everyone's post:) you can install a 3rd party to the wlc for webauth and management to get rid of the certificate error. You can also use a certificate if you use local EAP for 802.1x.

For 802.1x (PEAP) using a radius you just need a certificate on the radius server no matter what radius server you use.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

jeff6strings · ‎01-06-2012

I appreciate all the help and everything worked out fine. In Windows 7 you can set to ignore certs and on the iPhone, iPad and Android devices no problems.

Thanks again,

Jeff

Confusion with PEAP certificate requirements

[Action Required] New Secure Access SAML Auth Certificate for VPN

Action Required: Duo Security guide on how to Protect Applications

Cisco Umbrella transitioning from DigiCert to Identrust certificates

Updated SAML Certificate Web Security and ZTA is now available

Umbrella: SWG と Certificate Pinning の関係性について