Self signed cert on ACS for PEAP MS Chap v2

Unanswered Question
Feb 11th, 2009
User Badges:


Currently im using a self signed cert on my ACS server. The ACS server itself generated the cert and private key.

The ACS server forwards the authentication requests from the laptops to a Windows database.

I'm just wondering what downsides if any there are by having the ACS server generate its own certs in my particular setup.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jafrazie Wed, 02/11/2009 - 09:59
User Badges:
  • Cisco Employee,

By default, there'd be no reason for your clients to trust this cert. Wouldn't recommend to use this in production.

eoinwhite Wed, 02/18/2009 - 03:04
User Badges:

I'm going to go with a digitally signed cert that other sites are using so that clients from other sites can connect to the local wireless seamlessly.

However if this wasn't the case is there a security risk using self signed certs?

Johannes Luther Wed, 02/18/2009 - 03:58
User Badges:

In the best case, you'll configure your clients to validate the server certificate. With that option, you'll make sure, that there are no honeypots or rogue APs, that wants to fool your clients. So "validating server certificates" is a good thing. To make that work, the clients has to know and trust the CA of the authentication server. If it's a Self-signed ACS cert, it could be a tough enrollment process. If you already have an own CA, just issue a server-cert to the ACS server. Normally your client should have the CA cert of you own CA. If not, simply enroll it.

eoinwhite Wed, 02/18/2009 - 04:05
User Badges:

I went with the CA cert. Just makes things easier.

You say to enroll the cert if the client doesnt have it ... my understanding of PEAP-MSCHAPv2 is that one of its main advantages is that it only uses server side certs and not client side certs.

Johannes Luther Wed, 02/18/2009 - 04:37
User Badges:

You're right - when using PEAP, you'll only need server certificates for authentication. However - If you want to enforce, that the client only connects to your APs*, the clients need to validate the server certificate. The only way to validate the server cert, it to check, if it was issued by a trusted CA. A trusted CA could be for example VeriSign (per system default) or your own CA (if you added it). Check your Certificate store on your client - you'll find all trusted CAs there.

If you issue a server cert to your ACS server with a CA, the client doesn't trust, validation is impossible.

A trusted CA cert is NOT a client certificate.

*(Rogue-APs simulates valid APs (same SSID, encryption and authentication) to obtain user credentials or other data)


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode