08-12-2010 01:25 PM - edited 07-03-2021 07:04 PM
I'm working with a customer who wants to run PEAP using MS-CHAPv2. They are using the Windows XP supplicant.
With prior versions of ACS (3.x, 4.x), I generated a self-signed cert on the ACS server itself and imported it onto the Windows machine.
Is this concept still valid with ACS5.1? (My customer opened a TAC case and the engineer said that the Cert must be from a external certificate authority.)
Thanks.
08-13-2010 07:52 AM
Hi kbyrd:
I'm looking at a self-signed cert from an ACS 5.1 box and it meets the version, EKU and server authentication criteria set out in the
EAP-TLS Deployment Guide for Wireless LAN Networks
http://tools.cisco.com/squish/A506C
document under section 5.2.2. The server side cert is the same for both PEAP and EAP-TLS.
As long as the client isn't validating the server certificate, that should be fine. I don't have an XP client to test with or I'd say more definitively.
Sincerely,
Rollin Kibbe
Network Management Systems Team
08-13-2010 06:14 PM
Thanks for your response, Rollin.
I could validate the self-signed cert if I exported it from the ACS and imported it into my Windows XP desktop. Correct? Thanks.
08-17-2010 10:25 AM
Hi kbyrd:
Yes, it's my understanding that's how it's supposed to work. In order to do validation, the client has to have something to validate against.
Rollin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: