Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 4.1 PEAP using public signed certificate (verisign)

Hi,

Could you give me some advice about the PEAP implementation with ACS server. I undestand that self-signed certificate should work well but I have this thoughts. The self signed certificate is valid for 1 year and after this period a new self-signed certificate has to be created. What should be the impact on the wireless users at this point? What I undestand is that the new certificate should be also imported to the clients so they can validate the server certificate. If that is correct (not sure though) this will bring huge amount of work when the certificate is expired and having hurderds of wireless clients.

Is it possible (and what are the requirements of the certificate itself) to install any publicly signed certificate like Verisign's one to the ACS for the PEAP process? Will that ease the workload when the certificate has to be renewed? I  assume that any windows machine for example, has by default trusted root certificates - Verisign in its store and no further interaction should be needed on the client side.

kind regards

Boris

3 REPLIES

ACS 4.1 PEAP using public signed certificate (verisign)

hi there ..

First we need to understand why a cert is importnat. A cert is used to create a tunnel that allows the wireless client to send their logon in a secure fashion. So if you could image a tunnel over wireless/wired between your client and the radius server.

The idea of trusting the cert is SPECIFIC to the wireless client . You can choose to TRUST the cert or NOT. Totally client independent. Why this is important, suppose for a moment that someone comes into your place of business and broadcast from their AP your SSID. Your clients could attach to this AP. And suppose the run FREERADIUS on a small box. From this radius server this person sends a BOGUS cert. If you client isnt trusting the correct cert or not trusting ANY, your client will accept the bogus cert, build a TLS tunnel, and send their logon.

Can you get a signed cert. Yes, most folks do as it eases deployment. Or if you have a PKI you can push your own cert.

Also, note you can have your client really analyze the cert and only trust specific certs and cert common namesl exmaple ACS01-ABC.

I hope this helps ..

Please support the rating system if you find any of this helpful!

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

ACS 4.1 PEAP using public signed certificate (verisign)

Hi George,

Thanks for the prompt response.

I forgot to mention that there is no PKI or CA I can use for creating and signing certificates in the network. The wireless clients are not part of any domain or whatever.

Yes, I understand that the client should be configured to validate the server certificate and I would like to validate the server certificate as the reasons you gave above.

I couldn't find any information about:

Can I use a certificate requested by VERISIGN/GoDaddy or whatever and installed on the ACS server for the wireless client to authenticate the server? What are the requirements to that certificate? Can I use one given for SSL for example?

My other wonderings are shall I reconfigure each wireless station to validate the new self-signed certificate after 1 year.As far as I understand the ACS self-signed certificate (ACS4.1) is valid for 1 year. And what about the supporting activities as importing the new ACS self-signed certificate to the wireless stations? This would be a huge consideration.

Kind regards,

Boris

ACS 4.1 PEAP using public signed certificate (verisign)

Yes, a SSL cert, check ACS4.1 as I recall you can only do 1024 SHA1. You can also do the CSR right from the ACS box. Once you have the CSR present it to your CA. You can give it a common name like ACS01 or somthing.

Yes, you are correct the SSC is vaild only for 1 year. Yes, you would have to it to the client. Once in the clients cert store you can then point out to trust that specific cert. Lots of work...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
749
Views
0
Helpful
3
Replies
CreatePlease to create content