cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
14957
Views
0
Helpful
6
Replies

Confusion with PEAP certificate requirements

jeff6strings
Level 1
Level 1

We have a 5508 and two WiSM wireless controllers along with WCS all running the latest version of software; we have ACS 4.0 but we are looking to bypass this option at this time. Our goal is to create an SSID using WPA2 Enterprise, PEAP and Windows 2008 R2 server with NPS (as a member server in the domain) for authentication to our Windows domain; a group will be used to authenticate users using a username and password. Wireless client devices range from Windows XP, 7, Apple laptops, iPad, iPhones and Android phones.

In studying all the documentation, community posts and articles on the Internet I’m confused with the requirements for PEAP in our environment as I keep reading that a client side certificate is used and in some cases it’s not. I think certs may be a problem with our mixed client environment but I’m not 100% sure. I greatly appreciate and input.

Thanks,

Jeff

2 Accepted Solutions

Accepted Solutions

Stephen Rodriguez
Cisco Employee
Cisco Employee

Jeff,

     Per the PEAP standard, the NPS needs a certificate, that says it is allowed to authenticate the users.  You can either purchase this, or if you have your own PKI, issue a certificate from your CA.

     The client, doesn't need to have the certificate.  With PEAP, it is optional for the client to validate the certificate.

The easiest deployment, is to just put the cert on the NPS, and tell the client not to validate the server.  Which is how I always test.  That way I can determine if the problem is AAA or PKI related.

So on a PC, you have an option to select if you want to validate the certificate or not.  With OS X, if you have the cert there, it will reach out and pull the cert.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Scott Fella
Hall of Fame
Hall of Fame

To add to everyone's post:) you can install a 3rd party to the wlc for webauth and management to get rid of the certificate error. You can also use a certificate if you use local EAP for 802.1x.

For 802.1x (PEAP) using a radius you just need a certificate on the radius server no matter what radius server you use.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

6 Replies 6

Stephen Rodriguez
Cisco Employee
Cisco Employee

Jeff,

     Per the PEAP standard, the NPS needs a certificate, that says it is allowed to authenticate the users.  You can either purchase this, or if you have your own PKI, issue a certificate from your CA.

     The client, doesn't need to have the certificate.  With PEAP, it is optional for the client to validate the certificate.

The easiest deployment, is to just put the cert on the NPS, and tell the client not to validate the server.  Which is how I always test.  That way I can determine if the problem is AAA or PKI related.

So on a PC, you have an option to select if you want to validate the certificate or not.  With OS X, if you have the cert there, it will reach out and pull the cert.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Steve,

Thanks for the reply. Does the certificate need to be in the wireless LAN controllers too?

Jeff

Hi Jeff,

Ill piggy back in here ... I havent seen Steve on the forums today ...

The EAP conversaion is always between the radius server and the wifi client. The WLC acts as a passthrough.The  PEAP cert is installed on the radius server. It is sent from the radius server to the wifi client to create a TLS tunnel.

Make sense?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George,

Thanks for the reply as it helps. I've read tech docs showing the cert installed on the WLC even if there is an IAS or NPS server involved. I'm going to begin the setup of all this tomorrow and if I have any questions or updates I'll post them.

Thanks again,

Jeff

Scott Fella
Hall of Fame
Hall of Fame

To add to everyone's post:) you can install a 3rd party to the wlc for webauth and management to get rid of the certificate error. You can also use a certificate if you use local EAP for 802.1x.

For 802.1x (PEAP) using a radius you just need a certificate on the radius server no matter what radius server you use.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

I appreciate all the help and everything worked out fine. In Windows 7 you can set to ignore certs and on the iPhone, iPad and Android devices no problems.

Thanks again,

Jeff

Review Cisco Networking for a $25 gift card