ACS5.1 and PEAP. Use self-signed certificate generated by ACS?

Unanswered Question
Aug 12th, 2010
User Badges:

I'm working with a customer who wants to run PEAP using MS-CHAPv2. They are using the Windows XP supplicant.

With prior versions of ACS (3.x, 4.x), I generated a self-signed cert on the ACS server itself and imported it onto the Windows machine.

Is this concept still valid with ACS5.1? (My customer opened a TAC case and the engineer said that the Cert must be from a external certificate authority.)

Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rollin Kibbe Fri, 08/13/2010 - 07:52
User Badges:
  • Cisco Employee,

Hi kbyrd:


I'm looking at a self-signed cert from an ACS 5.1 box and it meets the version, EKU and server authentication criteria set out in the


EAP-TLS Deployment Guide for Wireless LAN Networks

http://tools.cisco.com/squish/A506C


document under section 5.2.2.  The server side cert is the same for both PEAP and EAP-TLS.


As long as the client isn't validating the server certificate, that should be fine.  I don't have an XP client to test with or I'd say more definitively.


Sincerely,


Rollin Kibbe

Network Management Systems Team

kbyrd Fri, 08/13/2010 - 18:14
User Badges:

Thanks for your response, Rollin.

I could validate the self-signed cert if I exported it from the ACS and imported it into my Windows XP desktop. Correct? Thanks.

Rollin Kibbe Tue, 08/17/2010 - 10:25
User Badges:
  • Cisco Employee,

Hi kbyrd:


Yes, it's my understanding that's how it's supposed to work.  In order to do validation, the client has to have something to validate against.


Rollin

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network