×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Request Resolution for 1024 bit key for PEAP.

Unanswered Question
Oct 31st, 2011
User Badges:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml


As mentioned in the above link "Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients",

the use of a key larger than 1024 does not work with PEAP.


Does anyone know the resolution for this case?

Is it possible to use 2048 bit certificate to work with PEAP?

Or another authentication method must be used?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Mon, 10/31/2011 - 05:18
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

It will work with newer client. Put it this way, if you had to purchase a 3rd party certificate from RapidSSL, Verisign,etc. you would only get a 2048 chained certificate. They no longer issue 1024 certificates since around October last year. They all had to move to a 2048 root CA. I run all my 802.1x using 2048 certificates now and haven't rsn into any issues.


Sent from Cisco Technical Support iPhone App

Cyruschan Mon, 10/31/2011 - 20:44
User Badges:

Thanks Scoot for your reply.


Would you please advise what kind of newer client is needed?
Do you mean 2048 certificate do work with PEAP now?

Is there any documentation regarding this?


You are right that we purchase 3rd part certifcate, and knowing they issue 2048 certificate now.

But if 2048 certifcate does not work with PEAP, I am thinking of giving them a special request for 1024 certifcate.

Scott Fella Mon, 10/31/2011 - 21:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Cyrus,


You will not be able to obtain a 1024bit certificate unless you are renewing an existing one. I wouldn't worry about the 2048bit cert not working. I have many installs either using a 2048bit cert from a 3rd party and also using a MS CA. I know for sure that Windows 7, Mac Books,iPads iPhones etc do not have any issues.


Sent from Cisco Technical Support iPhone App

Cyruschan Mon, 10/31/2011 - 21:30
User Badges:

Scott,


Yes, we are trying to renew an existing 1024bit certificate.


Our clients mainly using Windows XP, it that true the below condition do happen on some platforms?


"The use of a key larger than 1024 does not work with PEAP. Authentication might appear to pass in the ACS, but the client just hangs while it attempts authentication."


I am trying to confirm to use 2048bit cert with PEAP with no issue, and would appreciate if there is some documentation support.

Scott Fella Mon, 10/31/2011 - 21:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

If you are renewing an existing certificate, then might as well get a 1024bit. At least you don't have to worry. I will see if there are any docs, but I have not found any in the past. XP might be an issue as I have tried thy in the past and it didn't work. I might be able to lab that out and verify.


Sent from my iPhone

Cyruschan Tue, 11/01/2011 - 00:45
User Badges:

It would be kind of you if you can help verify that.

I will try to get a 1024 bit certificate, but still need to figure out the requirements in case we need to migrate to 2048 bit certificate.


Thanks a lot.

Cyruschan Wed, 11/02/2011 - 19:34
User Badges:

Hi Scott,


Seems it is still available to renew with 1024 bit, but would you please help to check the feasibility of using 2048 bits cert with PEAP and the requirement of it.

Thanks.


Cyrus

Scott Fella Wed, 11/02/2011 - 20:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Well we used a Verising chained certificate and installed it on ACS 5.2 and Windows 7, iPads and iPhones had no issues.  I don't have an XP laptop to test with.  One of the things you need to make sure is ask or look at what Root CA signed or was used to generate the certificate.  You need to make sure that it is one of the Trusted Root CA's listed in the device that will be authenticating.  There are some newer CA's that are not on the devices Trusted Root CA and you will not be able to verify the server certificate if you want to enbale that on the client.


Hope this helps.

Cyruschan Sat, 11/05/2011 - 13:00
User Badges:

Thanks for your reply.

Beside to make sure the Root CA is on the devices Trusted root CA list, would you please tell other requirement?

As you mentioned it didn't work with winxp, then is it confirmed winxp is not support with 2048bit+ PEAP?
If yes, what is the alternative way to use 2048 bit cert on winxp?

As my users' PC are on winxp, I want to know how do 2048 bit cert work on winxp.

Scott Fella Sun, 11/06/2011 - 05:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Well I didn't test this on a Windows XP device, since I didn't have any to test with. Microsoft probably came out with a patch to fix this in SP2 or SP3. You can get a trial certificate and test it, this way you know if you need to stick with a 1024 or if you can go with a 2048 until you migrate to Windows 7.


Sent from Cisco Technical Support iPhone App

Scott Fella Fri, 01/13/2012 - 05:09
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

I have no issues either even with xp using windows zero.


Thanks,


Scott Fella


Sent from my iPhone

ohansen Fri, 01/13/2012 - 05:07
User Badges:

For what it's worth, I have tested GeoTrust's 2048-bit QuickSSL certs installed on ACS 5.3, and they work fine when authenticating Windows 7 and Mac (Snow Leopard) clients, my iToys as well as XP clients using Intel's supplicant. I haven't had a chance to test the barebone XP wireless though.


For those who are worried, I'd say get a test certificate or use the moneyback guarantee by the cert vendor.


It would probably be a good idea that this topic becomes properly documented by Cisco, since it drove me too down the wrong alley having read that larger certs don't work.

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network