Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Self signed cert on ACS for PEAP MS Chap v2

Hi,

Currently im using a self signed cert on my ACS server. The ACS server itself generated the cert and private key.

The ACS server forwards the authentication requests from the laptops to a Windows database.

I'm just wondering what downsides if any there are by having the ACS server generate its own certs in my particular setup.

Eoin.

6 REPLIES
Cisco Employee

Re: Self signed cert on ACS for PEAP MS Chap v2

By default, there'd be no reason for your clients to trust this cert. Wouldn't recommend to use this in production.

New Member

Re: Self signed cert on ACS for PEAP MS Chap v2

Ideally what should I be doing ?

New Member

Re: Self signed cert on ACS for PEAP MS Chap v2

I'm going to go with a digitally signed cert that other sites are using so that clients from other sites can connect to the local wireless seamlessly.

However if this wasn't the case is there a security risk using self signed certs?

New Member

Re: Self signed cert on ACS for PEAP MS Chap v2

In the best case, you'll configure your clients to validate the server certificate. With that option, you'll make sure, that there are no honeypots or rogue APs, that wants to fool your clients. So "validating server certificates" is a good thing. To make that work, the clients has to know and trust the CA of the authentication server. If it's a Self-signed ACS cert, it could be a tough enrollment process. If you already have an own CA, just issue a server-cert to the ACS server. Normally your client should have the CA cert of you own CA. If not, simply enroll it.

New Member

Re: Self signed cert on ACS for PEAP MS Chap v2

I went with the CA cert. Just makes things easier.

You say to enroll the cert if the client doesnt have it ... my understanding of PEAP-MSCHAPv2 is that one of its main advantages is that it only uses server side certs and not client side certs.

New Member

Re: Self signed cert on ACS for PEAP MS Chap v2

You're right - when using PEAP, you'll only need server certificates for authentication. However - If you want to enforce, that the client only connects to your APs*, the clients need to validate the server certificate. The only way to validate the server cert, it to check, if it was issued by a trusted CA. A trusted CA could be for example VeriSign (per system default) or your own CA (if you added it). Check your Certificate store on your client - you'll find all trusted CAs there.

If you issue a server cert to your ACS server with a CA, the client doesn't trust, validation is impossible.

A trusted CA cert is NOT a client certificate.

*(Rogue-APs simulates valid APs (same SSID, encryption and authentication) to obtain user credentials or other data)

237
Views
0
Helpful
6
Replies