×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Initial configuration of ACS 5.1 for EAP authentication for Wireless clients

Unanswered Question
Nov 21st, 2010
User Badges:

Hi,


I have set-up with below devices :


Wireless LAN controller 5508

LAP 3302i

and ACS 5.1


since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.


which EAP method to use for wireless client authentication ? what is the best practice ?


I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?


I have no clear picture for this certificate ?


from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?


I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,


I need GUI based initial configuration for ACS 5.1


This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Tiago Antunes Mon, 11/22/2010 - 01:19
User Badges:
  • Cisco Employee,

Hi,



which EAP method to use for wireless client authentication ? what is the best practice ?

-> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.



I  have gone through some cisco documents and it shows that best practice  is to configure PEAP but for the same , I need to install certificate in  ACS server as well in client PC. is that so ?

-> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.

If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.

If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.


I have no clear picture for this certificate ?

from  where i can get this certificate or do i need to purchase this  certificate separately from cisco. how to install it in ACS server ?

-> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.


Please feel free to follow this step-by-step guide on

PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:

http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf

http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.


HTH,

Tiago


--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

vinodjad1234 Mon, 11/22/2010 - 04:53
User Badges:

Hi,



Thanks for your reply.



I want to go ahead with PEAP-MSCHAPv2 configuration in ACS .


I am sorry to say that still I am somewhat confused that I want to install the certificate in ACS or generate the certificate. why do i need IIS or CA server ?


or do i need external server which is there in domain and configure that same server as CA server and generate the certificate and then upload the same on ACS .


Is that so ?


I tried to generate the certificate from the ACS and copy on local computer with PAK number but still I am no having clear picture ?



Please put light on the same.


I will be really obliged with your valuable knowledge.

Tiago Antunes Mon, 11/22/2010 - 05:22
User Badges:
  • Cisco Employee,

Hi,


It is not mandatory to generate certificate from IIS. You can use ACS self signed certificate for PEAP. And the simplest thing is simply to configure the clients to not validate server cert. This way, the clints will trust the ACS self signed certificate.


HTH,

Tiago



--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Actions

This Discussion