Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

certificates downloading to any machine a valid user connects to the wireless

We are set up to download a certificate to PCs over wireless when the user is validated.  No one has ever explained the point of that. It seems like you  do not have 2 factor authentication if you give the second factor away after the first is authenticated.  It has come to a head now with all the IPADs IPhones and are devices the users are carrying.  If they coonect them to the wireless and log in the system asks if they want to download the certificate and it does.  Now we have all these privately owned devices using our company wireless.

So, if it is valid to give out certificates like this, does anyone know how to control which devices they are downloaded to?



certificates downloading to any machine a valid user connects to

I think that you may be wrong.

If the authentication method is PEAP for example, only the server side (your radius server) has to show a certificate.

If the clients don't trust by default that cert, they have a pop up asking if they want to trust it/download it.

That's ok.

It's not that you are giving a new certificate to all the clients, you are giving always the same, the server one. And it's ok since your cert is public.

Clients should then only authenticate with credentials.

I have never seen any system where both sides (client and server) authenticate with a certificate but that the client dynamically receive the certificate, that is indeed pointless. I think you need to clarify what exact security mechanism you are using / what EAP method

certificates downloading to any machine a valid user connects to

I think what you are seeing is the radius server sending the server side certificate or if you are using GUEST access perhaps you are seeing the WEB certificate and confusing the two ?

As Nick pointed out,

PEAPv0 MsChapv2 is server side only

PEAPv0 TLS is both server and client side

TLS is both server and client side

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________