cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
639
Views
0
Helpful
6
Replies

Self signed cert on ACS for PEAP MS Chap v2

eoinwhite
Level 1
Level 1

Hi,

Currently im using a self signed cert on my ACS server. The ACS server itself generated the cert and private key.

The ACS server forwards the authentication requests from the laptops to a Windows database.

I'm just wondering what downsides if any there are by having the ACS server generate its own certs in my particular setup.

Eoin.

6 Replies 6

jafrazie
Cisco Employee
Cisco Employee

By default, there'd be no reason for your clients to trust this cert. Wouldn't recommend to use this in production.

Ideally what should I be doing ?

I'm going to go with a digitally signed cert that other sites are using so that clients from other sites can connect to the local wireless seamlessly.

However if this wasn't the case is there a security risk using self signed certs?

In the best case, you'll configure your clients to validate the server certificate. With that option, you'll make sure, that there are no honeypots or rogue APs, that wants to fool your clients. So "validating server certificates" is a good thing. To make that work, the clients has to know and trust the CA of the authentication server. If it's a Self-signed ACS cert, it could be a tough enrollment process. If you already have an own CA, just issue a server-cert to the ACS server. Normally your client should have the CA cert of you own CA. If not, simply enroll it.

I went with the CA cert. Just makes things easier.

You say to enroll the cert if the client doesnt have it ... my understanding of PEAP-MSCHAPv2 is that one of its main advantages is that it only uses server side certs and not client side certs.

You're right - when using PEAP, you'll only need server certificates for authentication. However - If you want to enforce, that the client only connects to your APs*, the clients need to validate the server certificate. The only way to validate the server cert, it to check, if it was issued by a trusted CA. A trusted CA could be for example VeriSign (per system default) or your own CA (if you added it). Check your Certificate store on your client - you'll find all trusted CAs there.

If you issue a server cert to your ACS server with a CA, the client doesn't trust, validation is impossible.

A trusted CA cert is NOT a client certificate.

*(Rogue-APs simulates valid APs (same SSID, encryption and authentication) to obtain user credentials or other data)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: