10-16-2007 11:36 PM - edited 07-03-2021 02:47 PM
Hi, I am implementing dot1x with PEAP for wire and wireless access, before I get CA running, I am using ACS server self-signed certificate. However, XP client won't be able to authenticate if I have the "validate server certificate" box checked. I did not check ACS's authentication log, but most probably the authentication failed because client can not validate server certificate. It is my understanding that this box has to be checked to have a valid dot1x deployment.
Since I don't have a central CA running(yet), how can I make the client validate this self-signed certificate? conceptually, XP 's dot1x PEAP should allow user to trust any certificate issued by any CA.
10-17-2007 05:16 AM
Hi,
The self signed cert is only used for the server cert. In case of self signed certificates,the ACS server installs a server certificate for itself by using its own CA(Certificate Authority). Now this CA should be there in the trusted root certificates of the client which cannot be done as ACS server can generate a certificate only for its own use.
However there is a workaround to this problem as we can setup the client to not validate the certificate signing authority.
Regards,
~JG
Please rate helpful posts
10-17-2007 06:37 AM
Hi, JG, Thank you for your post, I totally agree with your post, but if I set the client to not validate the certificate, this is going to a big security hole, a attacker can set a rogue AP and a fake server, he will be able to capture user credentials, right?
So, is it true that in order for the client to validate the server certificate, I will have to have a central CA? and have this CA issue certificate for both clients and ACS server?
10-17-2007 06:42 AM
Yes , you are correct, if client is not validating server , that would be a security hole.
If you want to validate server then you need to get cert from 3rd party CA , like Microsoft or verisign etc..
Security comes with a price...
Regards,
~JG
Please rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: