Cisco ACS Self Signed certificates vs others?

Unanswered Question
Dec 12th, 2007

Hi,

we are currently implementing Cisco ACS Self Signed certificate, for PEAP-MSChapv2 Wireless Access, where we have our Cisco ACS linked to the Microsoft Active Directory. So, we are distributing the Certificates through GPO's.

What can be the risks, and what would make us consider having either our own CA Server? or even getting external certificates?

Thanks

Jorge

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
huangedmc Fri, 12/14/2007 - 11:30

The only thing I can think of is the self-signed cert doesn't work w/ Intel ProSet software.

We don't distro the cert through GPO to everyone though so am not sure if it applies to your case.

Richard Atkin Fri, 12/14/2007 - 17:37

Hi Jorge,

There are two reasons a server-side certificate is used for PEAP.

Firstly, it protects the inner authentication method, in your case, it's protecting the MSCHAPv2 exchange. This is pretty secure regardless of whether you use self signed, corporate or 3rd party certificates.

The second reason is that it allows the client to authenticate the radius server BEFORE it even thinks about begining the MSCHAPv2 authentication process. If you're only using Self Signed certificates, then it's likely the Root CA for your ACS isn't installed on your clients, and so you're not doing any checks on the identity of the radius server prior to begining MSCHAPv2. Not checking the identity of the radius server leaves your clients vulnerable to man-in-the-middle and DoS attacks. If you decide to use an internal CA, then make sure your laptops all receive a copy of the internal CA, and that they are configured to check for it. If you decide to buy a 3rd party certificate for your radius server, make sure you buy a certificate that the clients already have the Root CA for.

This is the basic functionality of PEAP, and is the same on all PEAP-capable devices, including the Intel utility.

Best regards,

Richard

andrew.brazier@... Wed, 12/19/2007 - 05:58

I would generally recommend buying in a cert as it saves the hassle of setting up your own CA and distributing your own root certs both of which can be a major hassle.

Actions

This Discussion

 

 

Trending Topics - Security & Network