Hello,

I've been trying PEAP Authentication with ACS and RSA, in order to try PEAP-MSCHAP and PEAP-GTC and I have doubts on three aspects.

The first, is related to server certificate authentication : On most PEAP supplicants you have the option to not validate server certificate. Is it only up to the client to choose to do that? Can't I, on the server, do something to force that only clients that authenticate the server log into the network? Because, like that, any person that arrives at my site and simply doesn't choose to validate my server and has obtained a password (PEAP-MSCHAP case) by whichever means can authenticate! It is said that it is mutual authentication, but apparently it is only if one of the parties decides to do so...

The other doubt is that I've read somewhere, not in cisco website, that with a funk odissey supplicant you can push the root ca server certificate to client when he tries to authenticate, not needing to preinstall the root ca server certificate on the client in the case he wishes to validate the server certificate.

The third doubt is about using PEAP-MSCHAPv2 or PEAP-GTC with static password, I've tried both using the ACS user database and both worked fine! What is the difference, and which is more vulnerable? I know that MS-CHAPv2 can be vulnerable to offline dictionary attacks, what is the mecanism used with PEAP-GTC with static password?

Thank you