07-10-2007 02:58 PM - edited 07-03-2021 02:19 PM
Hi,
I've been using Cisco ACS 3.3 to generate a self signed certificate, for PEAP-MSChapv2 authentication.
We are running MS Active Directory, any clue what's the easiest way to deploy the Certificate itself?
07-11-2007 05:16 AM
Hi Jorge,
As posted on the AAA fourm, self sign certs are pretty easy to deploy. You just need to create and install it on ACS.
For steps you can reffer to PEAP guide posted for you in AAA fourm.
Let me know if you face any specific issue during installation.
Good Luck,
Regards,
~JG
07-11-2007 05:27 AM
But to do PEAP-MSCHAPv2 don't I need to deploy it to all clients? Where should then the certificate be installed? just in the Cisco ACS Application?
07-11-2007 05:30 AM
Jorge,
No need to install it on Clients for PEAP. We need to install it only on ACS appliance.
Regards,
07-11-2007 05:36 AM
I'm a bit mixed up, why is then the certificate required for?
07-11-2007 06:32 AM
Jorge,
In PEAP it is not necessary to have CA installed to each client, it works without CA installed on the client but it is less secure.
In case of PEAP, certificates are used to validate the server. The use of root certificate on the client is only limited to validating the server. When we keep the
option 'validate server certificate 'unchecked on the client it does not try to validate
the server and the server gets authenticated without any validation.
However, when we keep the option checked then it explicitly checks for the root certificate on the client to validate the server.
Installing CA on the client would provide an additional layer of security, if someone that was trying to spoof your server would have to have created a server certificate from another Root CA unknown to your client. In this case, if the validate box is checked, then the
connection should fail because the client does not trust the Root CA that the server certificate being presented, was generated from. If the check box was not checked, then the client would accept encrypted communications from ANY server posing as a EAP authentication source.
Hope that helps !
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide