Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS5.1 and PEAP. Use self-signed certificate generated by ACS?

I'm working with a customer who wants to run PEAP using MS-CHAPv2. They are using the Windows XP supplicant.

With prior versions of ACS (3.x, 4.x), I generated a self-signed cert on the ACS server itself and imported it onto the Windows machine.

Is this concept still valid with ACS5.1? (My customer opened a TAC case and the engineer said that the Cert must be from a external certificate authority.)

Thanks.

Everyone's tags (4)
3 REPLIES
Cisco Employee

Re: ACS5.1 and PEAP. Use self-signed certificate generated by AC

Hi kbyrd:

I'm looking at a self-signed cert from an ACS 5.1 box and it meets the version, EKU and server authentication criteria set out in the

EAP-TLS Deployment Guide for Wireless LAN Networks

http://tools.cisco.com/squish/A506C

document under section 5.2.2.  The server side cert is the same for both PEAP and EAP-TLS.

As long as the client isn't validating the server certificate, that should be fine.  I don't have an XP client to test with or I'd say more definitively.

Sincerely,

Rollin Kibbe

Network Management Systems Team

New Member

Re: ACS5.1 and PEAP. Use self-signed certificate generated by AC

Thanks for your response, Rollin.

I could validate the self-signed cert if I exported it from the ACS and imported it into my Windows XP desktop. Correct? Thanks.

Cisco Employee

Re: ACS5.1 and PEAP. Use self-signed certificate generated by AC

Hi kbyrd:

Yes, it's my understanding that's how it's supposed to work.  In order to do validation, the client has to have something to validate against.

Rollin

1617
Views
0
Helpful
3
Replies
CreatePlease to create content