ACS5.1 and PEAP. Use self-signed certificate generated by ACS?

kbyrd · ‎08-12-2010

I'm working with a customer who wants to run PEAP using MS-CHAPv2. They are using the Windows XP supplicant.

With prior versions of ACS (3.x, 4.x), I generated a self-signed cert on the ACS server itself and imported it onto the Windows machine.

Is this concept still valid with ACS5.1? (My customer opened a TAC case and the engineer said that the Cert must be from a external certificate authority.)

Thanks.

Rollin Kibbe · ‎08-13-2010

Hi kbyrd:

I'm looking at a self-signed cert from an ACS 5.1 box and it meets the version, EKU and server authentication criteria set out in the

EAP-TLS Deployment Guide for Wireless LAN Networks

http://tools.cisco.com/squish/A506C

document under section 5.2.2. The server side cert is the same for both PEAP and EAP-TLS.

As long as the client isn't validating the server certificate, that should be fine. I don't have an XP client to test with or I'd say more definitively.

Sincerely,

Rollin Kibbe

Network Management Systems Team

kbyrd · ‎08-13-2010

Thanks for your response, Rollin.

I could validate the self-signed cert if I exported it from the ACS and imported it into my Windows XP desktop. Correct? Thanks.

Rollin Kibbe · ‎08-17-2010

Hi kbyrd:

Yes, it's my understanding that's how it's supposed to work. In order to do validation, the client has to have something to validate against.

Rollin