PEAP-MSChap v2 & ACS 4.0& Windows 2003

Answered Question
Jul 11th, 2008
User Badges:

Following the below guide for Peap-mschap v2 I get the following error on the ACS "EAP-TLS or PEAP authentication failed during SSL handshake".


When I disable "Validate Server Certificate" on Win XP controlled wireless card I can connect straight away. What is the advantage/disadvantage with unticking "Validate Server Certificate"


Please advise


http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml


Correct Answer by Scott Fella about 8 years 9 months ago

First find out what encryption these devices support. I believe they do support WPA/WPA2 w/ PEAP. Devices don't need to be on the domain to work with this type of encryption.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Scott Fella Fri, 07/11/2008 - 17:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

When you have "Validate Server Certificate" you need to check which cert you want validated. If it isn't there, then you have to add it. Basically you are telling the utility to verify these checked certs.


Here are some links that will explain it better.


http://support.microsoft.com/kb/814394


http://www.velocityreviews.com/forums/t54654-validate-server-certificate.html

colmgrier Sat, 07/12/2008 - 07:59
User Badges:

Ok still bit confused


Q.1 Using PEAP-mschapv2 and not selecting "Validate Server Certificate" i can still connect to the WLAN,is this is a secure connect (encrypted).


Q.2 I'm using win 2003 standard edition to create the CA, but according to microsoft the minimun certificate is issued by an enterprise certification authority (CA) So I need win 2003 Enterprise edition for the CA??


Scott Fella Sat, 07/12/2008 - 11:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Yes.... not selecting the validate server certificate is still being secure... the certificate is to encrypt the rest of the authentication process. As for the CA issues, you need Enterprise CA to issues for the certificate that will be installed in your radius server.

rseiler Sat, 07/12/2008 - 15:48
User Badges:
  • Silver, 250 points or more

The PEAP-MSCHAPv2 auth process is only one way: the server validates the clients user credentials, the client does not. If you don't require the client to validate the server ca cert, then you can't be sure that the 802.1x auth packets you are receiving have been signed by your server.


The scenerio is that you can bring your laptop to Starbucks and I can be there with a 'honeypot' AP wireless card. Your laptop automatically tries to connect to your corporate SSID, my laptop says 'here you are', you send 802.1x credentials, my laptop says 'yeah, whatever', you auth to my laptop, get an IP address, and I issue attacks against your open shares or vulnerabilies on your laptop (which you *DO* have).


Moral of the story, *always* select 'validate server certificate' on the client when using one-way trusted PEAP-MSCHAPv2.


And so we are on the same page, *any* certificate authority can create the cert, it does not need to be the domain controller; that is just a more complicated scenerio because you need MS-IAS or Cisco-ACS to use that cert and MS-AD needs to trust that cert. I bring this up for completeness.

Scott Fella Sat, 07/12/2008 - 16:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

to issue the cert you need a MS Enterprise server... doesn't need to be your domain controller. you do need a radius server and it can or doesn't have to tie into ad. WLC has local eap that you can also use if you have a wlc.

colmgrier Sun, 07/13/2008 - 07:27
User Badges:

Thanks all for the help.


I also need to add win CE and nokia e-series phone to the WLAN. Will PEAP-mschapv2 work with these devices, I think not because devices need to on the domain??


What solution is best for Window Ce and nokia e-series to connect to the WLAN?





Correct Answer
Scott Fella Sun, 07/13/2008 - 08:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

First find out what encryption these devices support. I believe they do support WPA/WPA2 w/ PEAP. Devices don't need to be on the domain to work with this type of encryption.

Actions

This Discussion

 

 

Trending Topics - Security & Network