Client validate ACS server self-signed certificate

Unanswered Question
Oct 16th, 2007

Hi, I am implementing dot1x with PEAP for wire and wireless access, before I get CA running, I am using ACS server self-signed certificate. However, XP client won't be able to authenticate if I have the "validate server certificate" box checked. I did not check ACS's authentication log, but most probably the authentication failed because client can not validate server certificate. It is my understanding that this box has to be checked to have a valid dot1x deployment.

Since I don't have a central CA running(yet), how can I make the client validate this self-signed certificate? conceptually, XP 's dot1x PEAP should allow user to trust any certificate issued by any CA.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jagdeep Gambhir Wed, 10/17/2007 - 05:16


The self signed cert is only used for the server cert. In case of self signed certificates,the ACS server installs a server certificate for itself by using its own CA(Certificate Authority). Now this CA should be there in the trusted root certificates of the client which cannot be done as ACS server can generate a certificate only for its own use.

However there is a workaround to this problem as we can setup the client to not validate the certificate signing authority.



Please rate helpful posts

jiangu Wed, 10/17/2007 - 06:37

Hi, JG, Thank you for your post, I totally agree with your post, but if I set the client to not validate the certificate, this is going to a big security hole, a attacker can set a rogue AP and a fake server, he will be able to capture user credentials, right?

So, is it true that in order for the client to validate the server certificate, I will have to have a central CA? and have this CA issue certificate for both clients and ACS server?

Jagdeep Gambhir Wed, 10/17/2007 - 06:42

Yes , you are correct, if client is not validating server , that would be a security hole.

If you want to validate server then you need to get cert from 3rd party CA , like Microsoft or verisign etc..

Security comes with a price...



Please rate helpful posts


This Discussion



Trending Topics - Security & Network