Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ACS Self Signed certificates vs others?

Hi,

we are currently implementing Cisco ACS Self Signed certificate, for PEAP-MSChapv2 Wireless Access, where we have our Cisco ACS linked to the Microsoft Active Directory. So, we are distributing the Certificates through GPO's.

What can be the risks, and what would make us consider having either our own CA Server? or even getting external certificates?

Thanks

Jorge

3 REPLIES
New Member

Re: Cisco ACS Self Signed certificates vs others?

The only thing I can think of is the self-signed cert doesn't work w/ Intel ProSet software.

We don't distro the cert through GPO to everyone though so am not sure if it applies to your case.

Re: Cisco ACS Self Signed certificates vs others?

Hi Jorge,

There are two reasons a server-side certificate is used for PEAP.

Firstly, it protects the inner authentication method, in your case, it's protecting the MSCHAPv2 exchange. This is pretty secure regardless of whether you use self signed, corporate or 3rd party certificates.

The second reason is that it allows the client to authenticate the radius server BEFORE it even thinks about begining the MSCHAPv2 authentication process. If you're only using Self Signed certificates, then it's likely the Root CA for your ACS isn't installed on your clients, and so you're not doing any checks on the identity of the radius server prior to begining MSCHAPv2. Not checking the identity of the radius server leaves your clients vulnerable to man-in-the-middle and DoS attacks. If you decide to use an internal CA, then make sure your laptops all receive a copy of the internal CA, and that they are configured to check for it. If you decide to buy a 3rd party certificate for your radius server, make sure you buy a certificate that the clients already have the Root CA for.

This is the basic functionality of PEAP, and is the same on all PEAP-capable devices, including the Intel utility.

Best regards,

Richard

Re: Cisco ACS Self Signed certificates vs others?

I would generally recommend buying in a cert as it saves the hassle of setting up your own CA and distributing your own root certs both of which can be a major hassle.

172
Views
0
Helpful
3
Replies