cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
861
Views
5
Helpful
4
Replies

PEAP and ACS5 server side certificate question

dan hale
Level 3
Level 3

Hello All, I'm in the process of setting up PEAP with ACS 5. From understanding the certificate that I generate is a server side certificate used between ACS and CA authority. However, according to the Cisco document that I'm using it sounds like I still have to install a certificate on the wireless clients that validate the server certificate.

Is there a process to push this cert out via AD or do I need to manually install it and if I wanted can I get away with out checking the validate the server certificate on the wireless client?

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml#wlc5508

see Configure the Wireless Network Connection

step number 12.

Thanks,

Dan

4 Replies 4

George Stefanick
VIP Alumni
VIP Alumni

Peap mschapv2 requires only a server side cert.

If you do eap-tls then server and client side is needed

Remember the cert you generate should be signed my a major ca, just in case you validate the cert on the clients .

Make sense ?

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Thanks, George.

I guess what I was getting confused based on the below picture I was thinking that when I validate the server side cert that I would also need to install the cert on the client under "trusted root certification authorities".

I realize now that all we are doing based on the picture is validating the server side cert and saying we are using this particular CA trusted root authority. In this example it is "ca.demo.local"

Is it really necessary to validate the server certificate on the client? What are the issues if I do not?

Thanks,

Dan

Eric Lindsey
Level 1
Level 1

We are using Peap with ACS and are mot using a client side cert. our server side cert is from Entrust.

Sent from Cisco Technical Support iPhone App

Scott Fella
Hall of Fame
Hall of Fame

You should validate the server cert or else your clients will trust any certificate. This will help prevent a man in the middle attack.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card