Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Getting XP Clients to trust ACS Self sign Cert

Hi,

I'm implementing ACS 4.0 to provide PEAP Security on a customers WLAN. I'd like to use the Self signed certificate feature within ACS, because it's easy to use and I don't want to 'play' with the customers Servers to install CA unless I really have to (deniability!!).

My question is, how do I get the XP Clients to trust the certificate installed on the ACS when the 'Authenticate Server' option is enabled on the PEAP client?

Due to the range of client adapters on the network and the only common factor being that they all run XP SP2, I plan to use the 'wireless zero configuration' option on those clients.

I presume I have to tick the relevent CA box on the Client trust list, but how do I get the cert to appear in that trust list?

Regards all,

Dan

6 REPLIES

Re: Getting XP Clients to trust ACS Self sign Cert

Dan,

When using peap there is no need to have client trust (server)acs certificate.

On XP, please do not enable" Validate server certificate"

Regards,

New Member

Re: Getting XP Clients to trust ACS Self sign Cert

Thanks for your reply,

I need to validate the server certificate to strengthen against 'man in the middle' attacks. But I'm struggling to figure out how to trust the SSC from the ACS.

There must be a way of adding that CA to the Clients Certificate Trust List?

This network will be the subject of a Pen test when it's finished and I need to make it as secure as possible.

I Know EAP-TLS is stronger, but Certificates on all the clients is too cumbersome to manage. (Customers point of view).

At least using this method (if implemented properly), The customer only has to maintain the Server cert every year.

Regards,

Dan

Cisco Employee

Re: Getting XP Clients to trust ACS Self sign Cert

This is the price you pay for dealing with self-signed certs. There's no guarantee they'll be trusted. Self-signed certs are not typcially recommended for a production deployment.

Hope this helps,

New Member

Re: Getting XP Clients to trust ACS Self sign Cert

Hi Dan,

You need to copy out the root certificate and install on the client. You should have a copy when you generate the self-signed cert on the ACS. Two ways to install the cert on the client. You could copy the cert on the thumb drive and install manually on all the machines or use auto-enrollment on the GPO.

Cheers,

Phoon

New Member

Re: Getting XP Clients to trust ACS Self sign Cert

Thanks Phoon,

I'd just kind of reached the same conclusion, Can you use USB thumb drives on the MCS appliance?

Good idea with the GPO. I think that's the best way to go, should save hours of work going round the clients manually. I was planning to use this method for configuring the client wireless settings also.

There's a good article on Tech Republic about this (ignore the slagging that ACS gets!), Just do a search for 'Configure PEAP Cisco'.

I'll let you know how I get on and rate accordingly.

Thanks for you're help.

Dan

New Member

Re: Getting XP Clients to trust ACS Self sign Cert

Hi Dan,

If your box doesn't support USB, I'm sure you can copy out the cert using other methods. I'm not familiar with MCS appliance but I'd think it should be the same. As far as the interface is concern.

Good luck!

Cheers,

Phoon

223
Views
5
Helpful
6
Replies