Yes, they are validating the server cert, just not able to authorize new servers or certs. Using Windows wireless config, it's the check box under the list of cert authorities. It says "Do not prompt user to authorize new servers or trusted certification authorities." and we have that box checked - so the users can't accidentially authorize a rogue server (man in middle or impersonation attacks).

They recently switched from LEAP to PEAP and since they were already using ACS, they wanted to continue using it.

We had looked at purchasing a 3rd party cert from Verisign (or other), but at the time they weren't sure what they wanted to do or if they wanted to spend the money and commit to a longer term (3 year) cert.

Now that they know they can get a free cert from the ACS server, they are less inclined to go buy a cert. They also don't have a MS cert server setup, or else they could just create their own.

Apparently somebody from Cisco told them that they could just renew the existing cert and as long as it was named the same it would be fine, or that the users may get prompted to accept the new cert.

Well, with that option disabled in the wireless config, I don't think the users will get the prompt or the option to accept the updated cert.

Yes, they are validating the cert.

Using windows config, in the PEAP properties window there are several options - The first is to validate the server cert. That option is checked.

Under trusted root cert authorities, the server is listed and checked.

Under that is the option to "Do not prompt user to authorize new servers or trusted certification authorities." That option is checked - apparently to minimize the risk that the user could be subjected to a man-in-the-middle attack or a rogue AP impersonating the true network.

Seems like you could also use OpenSSL to create a "self-signed" cert, and you could probably specify a much longer timeframe.

If you go the ACS-generated self-cert route, seems like you'll have to touch all the wireless clients each year. You might want to check out how to push the new cert to the clients (so they automagically trust it) via GPO. Since you are using AD and WZC, I highly recommend using a GPO to control your wireless settings. You can kill support for Ad-Hoc networks and force your "corporate" profile to always be the highest priority. You can also force the config of your corporate profile with GPO. It's really nice.

I'm actually running a similar setup on another network. Basically used the George Ou TechRepublic guide for PEAP - self signed certs from the IIS 6 resource kit, pushing out the cert and settings via GPO, and authenticating to win 2k3 server using IAS.

For some reason this network doesn't want to go that route. I guess they are comfortable with ACS and don't want to have to learn something new.

I'll have to look into OpenSSL. I looked at using an IIS 6 generated cert, but ACS doesn't support import of that cert - don't remember if it's because it isn't a recognized authority, or if the format of the cert was not compatible. Either way, ACS wouldn't allow me to import it.

I cautioned them about the 1 year expiration date - this is the 2nd time they've had to do it, but last year was easier as they were doing a relocation and roll-out and already had to touch every computer.

I will try to convince them to look at using a GPO for the cert and settings, or at least purchase a longer cert from a 3rd party.

I take it that I'm correct about the settings prohibiting the ability to renew the cert in ACS and have it work?

Without the users being able to get prompted and authorize the new cert they will just stop working after the current cert expires, and the new cert will need to be installed and the wireless settings will have to be changed?

I would leverage a 3rd party cert, set it for 3 - 4 years and be done with it... The time you spent on this just paid for the cert! lol

good luck

Thanks, they are interested in looking at the 3rd party route.

Can anybody tell me the requirements for the 3rd party cert? I believe they use Verisign for their certs, but they are asking which option they should use.

Also, does anybody know the usual cost and turn around for ordering this? I figured it may be quick, but I've seen that they may take a while to process - is it hours, days, weeks?

Hi,

The kind of certificate it is a regular server certificate.

You could you a windows 2003 as a CA that is a lot cheaper to get one of those and you can make the certificate for as many years do you want.

Please see link below that explains how certificates needs to be request and how to use windows 2003 as a CA.

http://tinyurl.com/9hq4r

If you decide to use another CA you will need the following instructions

Step 1: Create a Certificate Signing Request

Complete these steps:

1.

Choose System Configuration > ACS Certificate Setup > Generate Certificate Signing Request.

2.

Enter a name in the Certificate subject field with the cn=name format.

3.

Enter a name for the private key file.

Note: The path to the private key is cached in this field. If you press submit a second time after the CSR is created, the private key is overwritten and does not match the original CSR. This result in a private key does not match error message when you attempt to install the server certificate.

4.

Enter the private key password and confirm it.

5.

Choose a key length of 1024.

Note: While Cisco Secure ACS can generate key sizes greater than 1024, the use of a key larger than 1024 does not work with PEAP. Authentication might appear to pass in Cisco Secure ACS, but the client hangs while authentication is attempted.

6.

Click Submit

7.

Copy the CSR output on the right-hand side for submittal to the CA.

Once this has been created you send it to the CA and they know what to do.

If you need any assistance let me know.