12-10-2006 05:11 PM - edited 07-03-2021 01:21 PM
I am in the process of testing PEAP in our environment using machine authentication with MSCHAPv2. I created a certificate on our internal CA and installed it on the ACS server. It works fine with XP workstations that are domain members. I would like to have the ability to authenticate Windows Mobile users using PEAP as well. It looks like the process to install root Certificates on these devices varies and is a royal pain. It seems like if I installed a certificate from a well known CA such as Entrust or Thawte that I would not have to deal with this issue on these handhelds. My question is whether by doing so if I am creating a security hole. It seems like I am not as the machine has to be in ACS or mapped to a AD group in ACS as well as the user needing to be in the appropriate security group as well. An advise appreciated.
12-15-2006 08:22 AM
Just check out whether this document helps you. It is about PEAP and ACS configuration steps.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml
12-18-2006 01:15 AM
You can save yourself a whole pile of trouble if you buy a cert from an online CA. Getting certs into mobile devices can be a real pain, use a well known CA and the root cert will already be present in the device.
You won't be weakening security by using a well known CA as this is only one element in the overall security of the system.
One tip with the ACS server, before installing the new certificate, remove the old one, don't just install the new one on top of the old one as this can cause problems.
12-19-2006 07:38 AM
Can you tell me if it matters what the hostname is on the certificate? It seems like there would not be a hostname mismatch anyway.
12-20-2006 07:43 AM
The hostname on the cert shouldn't matter. Generate the CSR on the ACS using it's hostname and you should be OK.
12-26-2006 04:31 PM
There does not seem to be a way to deinstall the existing certificate within ACS admin. Can you tell me how to do this? The only option I see is to Install Certificate.
thanks for your help.
12-27-2006 12:24 AM
Use the install certificate option but without installing a new certificate : ) That removes the existing one, go through the process again to install the new cert.
12-27-2006 12:53 AM
Dear
i will use TLS-EAP security and install cert. in ACS and Client laptop but when i try to connect it take long time attempting to authentication then not connect in the ACS the report is EAP_TLS or PEAP authentication failed during SSL handshake
whats the problem please help
12-25-2006 09:56 AM
hi
can you tell me if the client can authenticate without the certificate if you disenable the certificate valid from wireless option on the laptop.
12-27-2006 12:51 PM
Hi,
The "SSL Handshake failure" is seen when the client or server does not recognize the CA which signed the certificate presented to it.
You will need to install the Root Certificate of the CA in the AAA Server and the client's certificate storage (user's and machine's depending on the authentication).
If you uncheck "Validate Server Certificate" on the client then the client machine will not check the Signing authority of the Server's certificate. The client will be able to authenticate.
12-28-2006 09:32 AM
so whats the best way to configure TLS eap
and install the certificate in client and ACS SE
thanks in advance
01-04-2007 08:40 AM
With EAP-TLS it is always better to have your Domain controller push certificates to the clients and use the enterprise CA to issue a certificate with ACS.
The clients will always trust the ACS since the same CA issued the certificates to both ends.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide