Getting XP Clients to trust ACS Self sign Cert

Unanswered Question
May 14th, 2007
User Badges:


I'm implementing ACS 4.0 to provide PEAP Security on a customers WLAN. I'd like to use the Self signed certificate feature within ACS, because it's easy to use and I don't want to 'play' with the customers Servers to install CA unless I really have to (deniability!!).

My question is, how do I get the XP Clients to trust the certificate installed on the ACS when the 'Authenticate Server' option is enabled on the PEAP client?

Due to the range of client adapters on the network and the only common factor being that they all run XP SP2, I plan to use the 'wireless zero configuration' option on those clients.

I presume I have to tick the relevent CA box on the Client trust list, but how do I get the cert to appear in that trust list?

Regards all,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jagdeep Gambhir Mon, 05/14/2007 - 11:34
User Badges:
  • Red, 2250 points or more


When using peap there is no need to have client trust (server)acs certificate.

On XP, please do not enable" Validate server certificate"


dselfridge Tue, 05/15/2007 - 01:36
User Badges:

Thanks for your reply,

I need to validate the server certificate to strengthen against 'man in the middle' attacks. But I'm struggling to figure out how to trust the SSC from the ACS.

There must be a way of adding that CA to the Clients Certificate Trust List?

This network will be the subject of a Pen test when it's finished and I need to make it as secure as possible.

I Know EAP-TLS is stronger, but Certificates on all the clients is too cumbersome to manage. (Customers point of view).

At least using this method (if implemented properly), The customer only has to maintain the Server cert every year.



jafrazie Tue, 05/15/2007 - 12:32
User Badges:
  • Cisco Employee,

This is the price you pay for dealing with self-signed certs. There's no guarantee they'll be trusted. Self-signed certs are not typcially recommended for a production deployment.

Hope this helps,

phoonts01 Mon, 05/28/2007 - 00:52
User Badges:

Hi Dan,

You need to copy out the root certificate and install on the client. You should have a copy when you generate the self-signed cert on the ACS. Two ways to install the cert on the client. You could copy the cert on the thumb drive and install manually on all the machines or use auto-enrollment on the GPO.



dselfridge Mon, 05/28/2007 - 01:21
User Badges:

Thanks Phoon,

I'd just kind of reached the same conclusion, Can you use USB thumb drives on the MCS appliance?

Good idea with the GPO. I think that's the best way to go, should save hours of work going round the clients manually. I was planning to use this method for configuring the client wireless settings also.

There's a good article on Tech Republic about this (ignore the slagging that ACS gets!), Just do a search for 'Configure PEAP Cisco'.

I'll let you know how I get on and rate accordingly.

Thanks for you're help.


phoonts01 Mon, 05/28/2007 - 06:24
User Badges:

Hi Dan,

If your box doesn't support USB, I'm sure you can copy out the cert using other methods. I'm not familiar with MCS appliance but I'd think it should be the same. As far as the interface is concern.

Good luck!




This Discussion