anyone who knows ACS 4.1 - Generate Self-Signed Certificate and Generate Certificate Signing request are only valid for 1 year ? How about 1 year later ? If I re-generate the Certificate will it be affected to my current authenticate users ? Example like user unable to connect PEAP after the certificate expired ?
Interesting question. I would say a connected user would be OK until they next reauthenticate at which point it will fail. If you generate a new self signed cert you will also have to install the matching root cert on all your clients = major hassle.
A better idea is to buy a cert with a long nough lifetime to last the lifetime of your solution. I always use www.rapidssl.com for my certs, a 5 year cert is about $300 and the root cert is already built into Windows, MACs, etc so no need to touch the clients.
Leveraging ACS's built in certificate authority is great for testing and if you have a small group of laptops or handhelds however for larger installs that leverage AD for authentication you are better off using Windows 2000 or Windows 2003 certificate authority functionality otherwise you will have to regenerate the certificate and then install this new certificate into the certificate root store of each of machine that does PEAP authentication.
Follow this document if you have any questions about installing or configuring MS-PEAP with ACS 4.0 and Windows 2003 Directory Services.
thanks for replied, but i feel something is not right, for instance although my ACS 4.1 has expiry date but, for my client profile i didnt choose any CA server for authenticate. which mean my client didnt use phase 2 security which using certificate for authenticate. so, does it will face to authentication problem after 1 year ?
Got it. Let me force expiration on my ACS server but my gut feeling is that because you do not validate the CA on the client you will just need to regenerate the certificate and you will be good to go. However for best practices I would recommend you leverage the CA certificate and check that box otherwise your information is being sent unencrypted (unless you have a vpn session after connecting).
woww, the topic is getting interesting now. ok . i got it what u mean but i have implement WPA2 in my AP and for client profile i did choose the WPA2-Enterprise. so, does this consider unencrypted as well ?