Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

certificates to 802.1x LEAP ethernet and wireless clients

Hello guys, I have just configured a radius server, active directory domain controller and certificate server on one windows 2003 pc. I have generate a self-signed digital certificate and used certificate server to generate a root certificate from it. I have exported it as a 'public key only' and saved it on the desktop of the radius server.

1) I configure the radius server policy to accept connections from wireless and Ethernet connections using 'PEAP'

2) And that the user must supply a user name and password from active directory. Before entering the network.

3) I am planning on using 802.1x port security ( config-if # dot1x port-security auto )on the switch connecting to the pc

4) i am planning on pointint the switch to server and server to switch. i will also configure the client network cards for PEAP.

What I don't know is how will the client pc get this certificate that is on my radius server? Do they need to have a copy on their own machines for them to be able to communicate with the server? This is where I am lost



Re: certificates to 802.1x LEAP ethernet and wireless clients

Certificates are a matter of trust - if an entity trusts the root (your CA) of a user certificate, and the certificate itself has no other problems, then it automatically trusts the certificate. If your RADIUS server and user/machine certificates all came from the same root (your self-signed CA), and you put the root certificate (public key version) in the trusted list, then you are good to go.

If you are using the Microsoft PKI services on your server (that is also your domain controller), then I'm pretty sure that your windows computers will automatically trust your root once the windows computers have been joined to your domain.

Also - for PEAP on Windows computers, you can completely disable the client's verification of the (RADIUS) server certificate. It's great for testing, but I recommend deploying with server certificate validation enabled.

Lastly - if you're building a lab, you may also want to investigate user and computer certificates and EAP-TLS. Windows CA with windows clients makes it very simple to deploy. Macintoshes are a pain, no matter what kind of CA you use.