Cisco Support Community
Community Member

PEAP, ACS and certificates

We recently purchase a Cisco 4200 LAN Controller and 1131ag access points. We also have a Cisco ACS with 3.3.3 installed. I have been researching what is the best security option and PEAP MSCHAPv2 with WPA2 seems to make the most sense for us since it is highly secure and does not require client side certificates. I am running into a bit of trouble with this implementation because we do not have an in house CA. Can I install a certificate from a third party, such as versign on the ACS? What type of certificate do I need? Do I need to use the Cisco client utility or can I just use windows with the builtin laptop wireless adapters?



Re: PEAP, ACS and certificates

ACS can generate a "self-signed" certificate. For many/most security implementations, it is sufficient.

If you want to go with a third-party cert (like Verisign), talk to them and see what they offer. They may have a package price for a variety of certificates (server-side auth, email verificatation ...).

The MS wireless driver should work fine, but make sure you are using XP w/ Service Pack2 on the clients. If you have Win2K, *nix, or (probably, maybe?) Mac, you'll want/need to use the Cisco drivers & client application.

Good Luck


Community Member

Re: PEAP, ACS and certificates

The only reason I wanted to go with a third party like verisign is because the windows clients would already trust a cert from them. How do I get my Windows clients to trust the self generated cert?

Community Member

Re: PEAP, ACS and certificates

The windows clients will trust them if they trust the root CA. A trusts B, B trusts C so therefore A trusts C. 1. Install Root Cert on ACS box. 2. Install Identity Cert on ACS. 3. Make sure your windows clients trust the root from where you received the indentity cert for your ACS box.

BTW: The self signed cert from ACS is only good for 1 year.

Where you aware that Cert services are offered with Windows 2000/2003 server? It's fairly easy to setup. One drawback with 2003 is that you have to create a web template for the cert for ACS but's there are plenty of doc's out there. Search for "ACS Certificate Windows PEAP". Just post again if you have any questions...

CreatePlease to create content