Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1278
Views
0
Helpful
7
Replies

PEAP-MSChap v2 & ACS 4.0& Windows 2003

Go to solution
colmgrier
Level 1
Level 1

‎07-11-2008 10:25 AM - edited ‎07-03-2021 04:09 PM

Following the below guide for Peap-mschap v2 I get the following error on the ACS "EAP-TLS or PEAP authentication failed during SSL handshake".

When I disable "Validate Server Certificate" on Win XP controlled wireless card I can connect straight away. What is the advantage/disadvantage with unticking "Validate Server Certificate"

Please advise

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to colmgrier

‎07-13-2008 08:42 AM

First find out what encryption these devices support. I believe they do support WPA/WPA2 w/ PEAP. Devices don't need to be on the domain to work with this type of encryption.

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎07-11-2008 05:11 PM

When you have "Validate Server Certificate" you need to check which cert you want validated. If it isn't there, then you have to add it. Basically you are telling the utility to verify these checked certs.

Here are some links that will explain it better.

http://support.microsoft.com/kb/814394

http://www.velocityreviews.com/forums/t54654-validate-server-certificate.html

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
colmgrier
Level 1
Level 1
In response to Scott Fella

‎07-12-2008 07:59 AM

Ok still bit confused

Q.1 Using PEAP-mschapv2 and not selecting "Validate Server Certificate" i can still connect to the WLAN,is this is a secure connect (encrypted).

Q.2 I'm using win 2003 standard edition to create the CA, but according to microsoft the minimun certificate is issued by an enterprise certification authority (CA) So I need win 2003 Enterprise edition for the CA??

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to colmgrier

‎07-12-2008 11:35 AM

Yes.... not selecting the validate server certificate is still being secure... the certificate is to encrypt the rest of the authentication process. As for the CA issues, you need Enterprise CA to issues for the certificate that will be installed in your radius server.

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
rseiler
Level 3
Level 3
In response to colmgrier

‎07-12-2008 03:48 PM

The PEAP-MSCHAPv2 auth process is only one way: the server validates the clients user credentials, the client does not. If you don't require the client to validate the server ca cert, then you can't be sure that the 802.1x auth packets you are receiving have been signed by your server.

The scenerio is that you can bring your laptop to Starbucks and I can be there with a 'honeypot' AP wireless card. Your laptop automatically tries to connect to your corporate SSID, my laptop says 'here you are', you send 802.1x credentials, my laptop says 'yeah, whatever', you auth to my laptop, get an IP address, and I issue attacks against your open shares or vulnerabilies on your laptop (which you *DO* have).

Moral of the story, *always* select 'validate server certificate' on the client when using one-way trusted PEAP-MSCHAPv2.

And so we are on the same page, *any* certificate authority can create the cert, it does not need to be the domain controller; that is just a more complicated scenerio because you need MS-IAS or Cisco-ACS to use that cert and MS-AD needs to trust that cert. I bring this up for completeness.

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to rseiler

‎07-12-2008 04:08 PM

to issue the cert you need a MS Enterprise server... doesn't need to be your domain controller. you do need a radius server and it can or doesn't have to tie into ad. WLC has local eap that you can also use if you have a wlc.

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
colmgrier
Level 1
Level 1
In response to Scott Fella

‎07-13-2008 07:27 AM

Thanks all for the help.

I also need to add win CE and nokia e-series phone to the WLAN. Will PEAP-mschapv2 work with these devices, I think not because devices need to on the domain??

What solution is best for Window Ce and nokia e-series to connect to the WLAN?

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to colmgrier

‎07-13-2008 08:42 AM

First find out what encryption these devices support. I believe they do support WPA/WPA2 w/ PEAP. Devices don't need to be on the domain to work with this type of encryption.

-Scott
*** Please rate helpful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card