Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
5612
Views
0
Helpful
0
Comments

How to configure trusted certificates on the ACS with the verisign for certificates

TCC_2
Level 10
Level 10

‎06-17-2009 10:11 PM - edited ‎02-21-2020 09:54 PM

 

 

Introduction

 

This provides the configuration guidelines for the Cisco Secure Access Control Server (ACS).

 

Network Topology

 

/image/gif/paws/72013/peap-acs40-win2003-1.gif

 

 

Resolution

In case of Protected Extensible Authentication Protocol (PEAP), certificates are used in order to validate the server. The use of the root certificate on the client is only limited to the validation of the server. When the validate server certificate option is unchecked on the client, it does not try to validate the server, and the server is authenticated without any validation. But, when the option is checked, it explicitly checks for the root certificate on the client in order to validate the server.

 

peap-acs40-win2003-84.gif

 

 

 

Once the server is authenticated, the manner in which PEAP works remains the same in both the cases. For example, whether the validate server certificate is checked or unchecked, it is possible to install the root CA on each client or do not do so.

PEAP works in these two phases:

  • In the first phase, the end-user client authenticates Cisco Secure ACS. This requires a server certificate and authenticates Cisco Secure ACS to the end-user client, which ensures that the user or machine credentials sent in phase two are sent to a AAA server that has a certificate issued by a trusted CA. If the validate server certificate option is checked, the CA certificate for the CA that issued the Cisco Secure ACS server certificate is likely to be required in local storage for trusted root CAs on the end-user client computer. The first phase uses a TLS handshake in order to establish a Secure Socket Layer (SSL) tunnel.

  • In phase two, Cisco Secure ACS authenticates the user or machine credentials with an EAP authentication protocol. The EAP authentication is protected by the SSL tunnel that is created in phase one.

Since data encryption takes place with the SSL in PEAP, there is no way to see the use of certificates in case of PEAP authentication.

Note: In order to avoid a Man in the middle attack, configure this with validate server certificate checked.

In order to make use of the validate server certificate option, install Root CA and Intermediate CA both on the ACS server and on each client.

 

peap-acs40-win2003-15.gif

 

 

 

While it is installed on the client, save Root CA to the Root CA store and store the Intermediate CA at the Subordinate CA store location.

 

Third Party Software

Windows 2000

Windows XP

Windows 2003

 

Protocol / Ports

PEAP

 

Reference

 

Windows Standard 2003 Setup with Cisco Secure ACS 4.0 section of PEAP under Unified Wireless Networks with ACS 4.0 and Windows 2003

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents