02-11-2009 09:38 AM - edited 07-03-2021 05:09 PM
Hi,
Currently im using a self signed cert on my ACS server. The ACS server itself generated the cert and private key.
The ACS server forwards the authentication requests from the laptops to a Windows database.
I'm just wondering what downsides if any there are by having the ACS server generate its own certs in my particular setup.
Eoin.
02-11-2009 09:59 AM
By default, there'd be no reason for your clients to trust this cert. Wouldn't recommend to use this in production.
02-11-2009 10:13 AM
Ideally what should I be doing ?
02-18-2009 03:04 AM
I'm going to go with a digitally signed cert that other sites are using so that clients from other sites can connect to the local wireless seamlessly.
However if this wasn't the case is there a security risk using self signed certs?
02-18-2009 03:58 AM
In the best case, you'll configure your clients to validate the server certificate. With that option, you'll make sure, that there are no honeypots or rogue APs, that wants to fool your clients. So "validating server certificates" is a good thing. To make that work, the clients has to know and trust the CA of the authentication server. If it's a Self-signed ACS cert, it could be a tough enrollment process. If you already have an own CA, just issue a server-cert to the ACS server. Normally your client should have the CA cert of you own CA. If not, simply enroll it.
02-18-2009 04:05 AM
I went with the CA cert. Just makes things easier.
You say to enroll the cert if the client doesnt have it ... my understanding of PEAP-MSCHAPv2 is that one of its main advantages is that it only uses server side certs and not client side certs.
02-18-2009 04:37 AM
You're right - when using PEAP, you'll only need server certificates for authentication. However - If you want to enforce, that the client only connects to your APs*, the clients need to validate the server certificate. The only way to validate the server cert, it to check, if it was issued by a trusted CA. A trusted CA could be for example VeriSign (per system default) or your own CA (if you added it). Check your Certificate store on your client - you'll find all trusted CAs there.
If you issue a server cert to your ACS server with a CA, the client doesn't trust, validation is impossible.
A trusted CA cert is NOT a client certificate.
*(Rogue-APs simulates valid APs (same SSID, encryption and authentication) to obtain user credentials or other data)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: