Self Signed Certificate on ACS3.3

Unanswered Question
Jul 10th, 2007
User Badges:


I've been using Cisco ACS 3.3 to generate a self signed certificate, for PEAP-MSChapv2 authentication.

We are running MS Active Directory, any clue what's the easiest way to deploy the Certificate itself?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Wed, 07/11/2007 - 05:16
User Badges:
  • Red, 2250 points or more

Hi Jorge,

As posted on the AAA fourm, self sign certs are pretty easy to deploy. You just need to create and install it on ACS.

For steps you can reffer to PEAP guide posted for you in AAA fourm.

Let me know if you face any specific issue during installation.

Good Luck,



jorge.s Wed, 07/11/2007 - 05:27
User Badges:

But to do PEAP-MSCHAPv2 don't I need to deploy it to all clients? Where should then the certificate be installed? just in the Cisco ACS Application?

Jagdeep Gambhir Wed, 07/11/2007 - 05:30
User Badges:
  • Red, 2250 points or more


No need to install it on Clients for PEAP. We need to install it only on ACS appliance.


jorge.s Wed, 07/11/2007 - 05:36
User Badges:

I'm a bit mixed up, why is then the certificate required for?

Jagdeep Gambhir Wed, 07/11/2007 - 06:32
User Badges:
  • Red, 2250 points or more


In PEAP it is not necessary to have CA installed to each client, it works without CA installed on the client but it is less secure.

In case of PEAP, certificates are used to validate the server. The use of root certificate on the client is only limited to validating the server. When we keep the

option 'validate server certificate 'unchecked on the client it does not try to validate

the server and the server gets authenticated without any validation.

However, when we keep the option checked then it explicitly checks for the root certificate on the client to validate the server.

Installing CA on the client would provide an additional layer of security, if someone that was trying to spoof your server would have to have created a server certificate from another Root CA unknown to your client. In this case, if the validate box is checked, then the

connection should fail because the client does not trust the Root CA that the server certificate being presented, was generated from. If the check box was not checked, then the client would accept encrypted communications from ANY server posing as a EAP authentication source.

Hope that helps !



This Discussion



Trending Topics - Security & Network