Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
0
Helpful
5
Replies

Self Signed Certificate on ACS3.3

jorge.s
Level 1
Level 1

‎07-10-2007 02:58 PM - edited ‎07-03-2021 02:19 PM

Hi,

I've been using Cisco ACS 3.3 to generate a self signed certificate, for PEAP-MSChapv2 authentication.

We are running MS Active Directory, any clue what's the easiest way to deploy the Certificate itself?

Labels:
0 Helpful
5 Replies 5

Jagdeep Gambhir
Level 10
Level 10

‎07-11-2007 05:16 AM

Hi Jorge,

As posted on the AAA fourm, self sign certs are pretty easy to deploy. You just need to create and install it on ACS.

For steps you can reffer to PEAP guide posted for you in AAA fourm.

Let me know if you face any specific issue during installation.

Good Luck,

Regards,

~JG

0 Helpful

jorge.s
Level 1
Level 1
In response to Jagdeep Gambhir

‎07-11-2007 05:27 AM

But to do PEAP-MSCHAPv2 don't I need to deploy it to all clients? Where should then the certificate be installed? just in the Cisco ACS Application?

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to jorge.s

‎07-11-2007 05:30 AM

Jorge,

No need to install it on Clients for PEAP. We need to install it only on ACS appliance.

Regards,

0 Helpful

jorge.s
Level 1
Level 1
In response to Jagdeep Gambhir

‎07-11-2007 05:36 AM

I'm a bit mixed up, why is then the certificate required for?

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to jorge.s

‎07-11-2007 06:32 AM

Jorge,

In PEAP it is not necessary to have CA installed to each client, it works without CA installed on the client but it is less secure.

In case of PEAP, certificates are used to validate the server. The use of root certificate on the client is only limited to validating the server. When we keep the

option 'validate server certificate 'unchecked on the client it does not try to validate

the server and the server gets authenticated without any validation.

However, when we keep the option checked then it explicitly checks for the root certificate on the client to validate the server.

Installing CA on the client would provide an additional layer of security, if someone that was trying to spoof your server would have to have created a server certificate from another Root CA unknown to your client. In this case, if the validate box is checked, then the

connection should fail because the client does not trust the Root CA that the server certificate being presented, was generated from. If the check box was not checked, then the client would accept encrypted communications from ANY server posing as a EAP authentication source.

Hope that helps !

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card