Peap + ACS 4.2 (Self-Signed Certificates)

Answered Question
Apr 2nd, 2010
User Badges:

Do not have a Microsoft CA available on site, so I  will need to generate a self-signed certificate on ACS 4.2.


When I generate this certificate do I need to install the certificate on all wireless client (domain) laptops. Also do I need to install on AD server?


http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t21


Please advise.

Colm

Correct Answer by Jon Marshall about 7 years 1 month ago

colmgrier wrote:


Do not have a Microsoft CA available on site, so I  will need to generate a self-signed certificate on ACS 4.2.


When I generate this certificate do I need to install the certificate on all wireless client (domain) laptops. Also do I need to install on AD server?


http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t21


Please advise.

Colm


Colm


You have 2 choices -


1) deselect the "Validate Server Cerificate" on the client and then you will not need to install the certificate on the client. However this is a security risk as you are now vulnerable to man in the middle attacks


or


2) you need to install the root certificate for the ACS onto the wireless client. You can do this manually or you can use Group Policy to do it but please don't ask me how as i always just left this to the server guys   You would then leave "Validate Server Cerificate" selected and you are not vulnerable to man in the middle attacks.


You don't need to install it on the AD.


Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 04/02/2010 - 12:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

colmgrier wrote:


Do not have a Microsoft CA available on site, so I  will need to generate a self-signed certificate on ACS 4.2.


When I generate this certificate do I need to install the certificate on all wireless client (domain) laptops. Also do I need to install on AD server?


http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t21


Please advise.

Colm


Colm


You have 2 choices -


1) deselect the "Validate Server Cerificate" on the client and then you will not need to install the certificate on the client. However this is a security risk as you are now vulnerable to man in the middle attacks


or


2) you need to install the root certificate for the ACS onto the wireless client. You can do this manually or you can use Group Policy to do it but please don't ask me how as i always just left this to the server guys   You would then leave "Validate Server Cerificate" selected and you are not vulnerable to man in the middle attacks.


You don't need to install it on the AD.


Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Actions

This Discussion