Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
0
Helpful
3
Replies

Cisco ACS Self Signed certificates vs others?

jorge.s
Level 1
Level 1

‎12-12-2007 03:41 AM - edited ‎07-03-2021 03:05 PM

Hi,

we are currently implementing Cisco ACS Self Signed certificate, for PEAP-MSChapv2 Wireless Access, where we have our Cisco ACS linked to the Microsoft Active Directory. So, we are distributing the Certificates through GPO's.

What can be the risks, and what would make us consider having either our own CA Server? or even getting external certificates?

Thanks

Jorge

Labels:
0 Helpful
3 Replies 3

huangedmc
Level 3
Level 3

‎12-14-2007 11:30 AM

The only thing I can think of is the self-signed cert doesn't work w/ Intel ProSet software.

We don't distro the cert through GPO to everyone though so am not sure if it applies to your case.

0 Helpful

Richard Atkin
Level 4
Level 4

‎12-14-2007 05:37 PM

Hi Jorge,

There are two reasons a server-side certificate is used for PEAP.

Firstly, it protects the inner authentication method, in your case, it's protecting the MSCHAPv2 exchange. This is pretty secure regardless of whether you use self signed, corporate or 3rd party certificates.

The second reason is that it allows the client to authenticate the radius server BEFORE it even thinks about begining the MSCHAPv2 authentication process. If you're only using Self Signed certificates, then it's likely the Root CA for your ACS isn't installed on your clients, and so you're not doing any checks on the identity of the radius server prior to begining MSCHAPv2. Not checking the identity of the radius server leaves your clients vulnerable to man-in-the-middle and DoS attacks. If you decide to use an internal CA, then make sure your laptops all receive a copy of the internal CA, and that they are configured to check for it. If you decide to buy a 3rd party certificate for your radius server, make sure you buy a certificate that the clients already have the Root CA for.

This is the basic functionality of PEAP, and is the same on all PEAP-capable devices, including the Intel utility.

Best regards,

Richard

0 Helpful

andrew.brazier
Level 4
Level 4
In response to Richard Atkin

‎12-19-2007 05:58 AM

I would generally recommend buying in a cert as it saves the hassle of setting up your own CA and distributing your own root certs both of which can be a major hassle.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card