ACS 4.2 RADIUS - Wireless - Certificates

Answered Question
Jul 17th, 2009

I setup our ACS 4.2 server for TACACS and also to provide RADIUS authentication for our WLAN and eventually will use it for 802.1x authentication for the LAN.

I am not an expert on certificates. I called TAC to get assistance installing the self signed certificate on ACS. This allowed me to build and test my WLan. Now that I am near the point of going live with this I'd like to install a certificate that won't expire in 1 year.

How do most people do this? We do have a windows 2003 server that acts as the Certificate Authority for other services. Should I be doing something with that? And how do most people get these certifactes deployed to the clients? by GPO?

Clearly I am not very familiar with Certificates and I apologize for this, but reading about them is getting confusing, if someone could point me in the right direction that would be a big help! Thank you!

Edit: I should mention I've been using PEAP with the self signed certificate. And currently manually installing the certificate on my test clients. As it is right now everytihng on my WLan works great: authentication, vlan assignment, etc. I'm just confused on the best practice for the certificate.

I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 7 years 4 months ago

ACS can only provide validity of one year. Using Microsoft CA you configure it for 5...6...7 years, depending upon your need.

It is easy to handle and manage it via GPO.

Two PEAP scenarios,

Using peap without validate server option checked---> Easy to deploy as cert is required only on ACS.

Using PEAP with validate server option checked---> Needs CA cert on each client.

Also you can get the certs from vendors like Verisign, Entrust, Equifax , GeoTrust etc. The advantage with these certs are that we don't have to install CA on each client as it is installed by default on each operating system.

Hope that helps!

Regards,

~JG

Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Mon, 07/20/2009 - 09:08

ACS can only provide validity of one year. Using Microsoft CA you configure it for 5...6...7 years, depending upon your need.

It is easy to handle and manage it via GPO.

Two PEAP scenarios,

Using peap without validate server option checked---> Easy to deploy as cert is required only on ACS.

Using PEAP with validate server option checked---> Needs CA cert on each client.

Also you can get the certs from vendors like Verisign, Entrust, Equifax , GeoTrust etc. The advantage with these certs are that we don't have to install CA on each client as it is installed by default on each operating system.

Hope that helps!

Regards,

~JG

Do rate helpful posts

Actions

This Discussion