Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
1
Replies

ACS 4.2 RADIUS - Wireless - Certificates

Go to solution
epatrickwhite
Level 1
Level 1

‎07-17-2009 04:24 PM - edited ‎03-10-2019 04:35 PM

I setup our ACS 4.2 server for TACACS and also to provide RADIUS authentication for our WLAN and eventually will use it for 802.1x authentication for the LAN.

I am not an expert on certificates. I called TAC to get assistance installing the self signed certificate on ACS. This allowed me to build and test my WLan. Now that I am near the point of going live with this I'd like to install a certificate that won't expire in 1 year.

How do most people do this? We do have a windows 2003 server that acts as the Certificate Authority for other services. Should I be doing something with that? And how do most people get these certifactes deployed to the clients? by GPO?

Clearly I am not very familiar with Certificates and I apologize for this, but reading about them is getting confusing, if someone could point me in the right direction that would be a big help! Thank you!

Edit: I should mention I've been using PEAP with the self signed certificate. And currently manually installing the certificate on my test clients. As it is right now everytihng on my WLan works great: authentication, vlan assignment, etc. I'm just confused on the best practice for the certificate.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎07-20-2009 09:08 AM

ACS can only provide validity of one year. Using Microsoft CA you configure it for 5...6...7 years, depending upon your need.

It is easy to handle and manage it via GPO.

Two PEAP scenarios,

Using peap without validate server option checked---> Easy to deploy as cert is required only on ACS.

Using PEAP with validate server option checked---> Needs CA cert on each client.

Also you can get the certs from vendors like Verisign, Entrust, Equifax , GeoTrust etc. The advantage with these certs are that we don't have to install CA on each client as it is installed by default on each operating system.

Hope that helps!

Regards,

~JG

Do rate helpful posts

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎07-20-2009 09:08 AM

ACS can only provide validity of one year. Using Microsoft CA you configure it for 5...6...7 years, depending upon your need.

It is easy to handle and manage it via GPO.

Two PEAP scenarios,

Using peap without validate server option checked---> Easy to deploy as cert is required only on ACS.

Using PEAP with validate server option checked---> Needs CA cert on each client.

Also you can get the certs from vendors like Verisign, Entrust, Equifax , GeoTrust etc. The advantage with these certs are that we don't have to install CA on each client as it is installed by default on each operating system.

Hope that helps!

Regards,

~JG

Do rate helpful posts

0 Helpful
Customers Also Viewed These Support Documents