cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
597
Views
10
Helpful
3
Replies

Client validate ACS server self-signed certificate

oldcreek12
Level 1
Level 1

Hi, I am implementing dot1x with PEAP for wire and wireless access, before I get CA running, I am using ACS server self-signed certificate. However, XP client won't be able to authenticate if I have the "validate server certificate" box checked. I did not check ACS's authentication log, but most probably the authentication failed because client can not validate server certificate. It is my understanding that this box has to be checked to have a valid dot1x deployment.

Since I don't have a central CA running(yet), how can I make the client validate this self-signed certificate? conceptually, XP 's dot1x PEAP should allow user to trust any certificate issued by any CA.

3 Replies 3

Jagdeep Gambhir
Level 10
Level 10

Hi,

The self signed cert is only used for the server cert. In case of self signed certificates,the ACS server installs a server certificate for itself by using its own CA(Certificate Authority). Now this CA should be there in the trusted root certificates of the client which cannot be done as ACS server can generate a certificate only for its own use.

However there is a workaround to this problem as we can setup the client to not validate the certificate signing authority.

Regards,

~JG

Please rate helpful posts

Hi, JG, Thank you for your post, I totally agree with your post, but if I set the client to not validate the certificate, this is going to a big security hole, a attacker can set a rogue AP and a fake server, he will be able to capture user credentials, right?

So, is it true that in order for the client to validate the server certificate, I will have to have a central CA? and have this CA issue certificate for both clients and ACS server?

Yes , you are correct, if client is not validating server , that would be a security hole.

If you want to validate server then you need to get cert from 3rd party CA , like Microsoft or verisign etc..

Security comes with a price...

Regards,

~JG

Please rate helpful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: