Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
5
Helpful
4
Replies

PEAP and ACS5 server side certificate question

dan hale
Level 3
Level 3

‎02-10-2013 05:30 PM - edited ‎07-03-2021 11:30 PM

Hello All, I'm in the process of setting up PEAP with ACS 5. From understanding the certificate that I generate is a server side certificate used between ACS and CA authority. However, according to the Cisco document that I'm using it sounds like I still have to install a certificate on the wireless clients that validate the server certificate.

Is there a process to push this cert out via AD or do I need to manually install it and if I wanted can I get away with out checking the validate the server certificate on the wireless client?

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml#wlc5508

see Configure the Wireless Network Connection

step number 12.

Thanks,

Dan

Labels:
0 Helpful
4 Replies 4

George Stefanick
VIP Alumni
VIP Alumni

‎02-10-2013 05:34 PM

Peap mschapv2 requires only a server side cert.

If you do eap-tls then server and client side is needed

Remember the cert you generate should be signed my a major ca, just in case you validate the cert on the clients .

Make sense ?

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

dan hale
Level 3
Level 3
In response to George Stefanick

‎02-11-2013 06:29 PM

Thanks, George.

I guess what I was getting confused based on the below picture I was thinking that when I validate the server side cert that I would also need to install the cert on the client under "trusted root certification authorities".

I realize now that all we are doing based on the picture is validating the server side cert and saying we are using this particular CA trusted root authority. In this example it is "ca.demo.local"

Is it really necessary to validate the server certificate on the client? What are the issues if I do not?

Thanks,

Dan

0 Helpful

Eric Lindsey
Level 1
Level 1

‎02-11-2013 04:30 PM

We are using Peap with ACS and are mot using a client side cert. our server side cert is from Entrust.

Sent from Cisco Technical Support iPhone App

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎02-11-2013 06:34 PM

You should validate the server cert or else your clients will trust any certificate. This will help prevent a man in the middle attack.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card