cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
718
Views
5
Helpful
6
Replies

Getting XP Clients to trust ACS Self sign Cert

dselfridge
Level 1
Level 1

Hi,

I'm implementing ACS 4.0 to provide PEAP Security on a customers WLAN. I'd like to use the Self signed certificate feature within ACS, because it's easy to use and I don't want to 'play' with the customers Servers to install CA unless I really have to (deniability!!).

My question is, how do I get the XP Clients to trust the certificate installed on the ACS when the 'Authenticate Server' option is enabled on the PEAP client?

Due to the range of client adapters on the network and the only common factor being that they all run XP SP2, I plan to use the 'wireless zero configuration' option on those clients.

I presume I have to tick the relevent CA box on the Client trust list, but how do I get the cert to appear in that trust list?

Regards all,

Dan

6 Replies 6

Jagdeep Gambhir
Level 10
Level 10

Dan,

When using peap there is no need to have client trust (server)acs certificate.

On XP, please do not enable" Validate server certificate"

Regards,

Thanks for your reply,

I need to validate the server certificate to strengthen against 'man in the middle' attacks. But I'm struggling to figure out how to trust the SSC from the ACS.

There must be a way of adding that CA to the Clients Certificate Trust List?

This network will be the subject of a Pen test when it's finished and I need to make it as secure as possible.

I Know EAP-TLS is stronger, but Certificates on all the clients is too cumbersome to manage. (Customers point of view).

At least using this method (if implemented properly), The customer only has to maintain the Server cert every year.

Regards,

Dan

This is the price you pay for dealing with self-signed certs. There's no guarantee they'll be trusted. Self-signed certs are not typcially recommended for a production deployment.

Hope this helps,

phoonts01
Level 1
Level 1

Hi Dan,

You need to copy out the root certificate and install on the client. You should have a copy when you generate the self-signed cert on the ACS. Two ways to install the cert on the client. You could copy the cert on the thumb drive and install manually on all the machines or use auto-enrollment on the GPO.

Cheers,

Phoon

Thanks Phoon,

I'd just kind of reached the same conclusion, Can you use USB thumb drives on the MCS appliance?

Good idea with the GPO. I think that's the best way to go, should save hours of work going round the clients manually. I was planning to use this method for configuring the client wireless settings also.

There's a good article on Tech Republic about this (ignore the slagging that ACS gets!), Just do a search for 'Configure PEAP Cisco'.

I'll let you know how I get on and rate accordingly.

Thanks for you're help.

Dan

Hi Dan,

If your box doesn't support USB, I'm sure you can copy out the cert using other methods. I'm not familiar with MCS appliance but I'd think it should be the same. As far as the interface is concern.

Good luck!

Cheers,

Phoon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: