Re: PEAP and ACS certificate questions

mabouchard · ‎12-10-2006

I am in the process of testing PEAP in our environment using machine authentication with MSCHAPv2. I created a certificate on our internal CA and installed it on the ACS server. It works fine with XP workstations that are domain members. I would like to have the ability to authenticate Windows Mobile users using PEAP as well. It looks like the process to install root Certificates on these devices varies and is a royal pain. It seems like if I installed a certificate from a well known CA such as Entrust or Thawte that I would not have to deal with this issue on these handhelds. My question is whether by doing so if I am creating a security hole. It seems like I am not as the machine has to be in ACS or mapped to a AD group in ACS as well as the user needing to be in the appropriate security group as well. An advise appreciated.

wong34539 · ‎12-15-2006

Just check out whether this document helps you. It is about PEAP and ACS configuration steps.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml

andrew.brazier · ‎12-18-2006

You can save yourself a whole pile of trouble if you buy a cert from an online CA. Getting certs into mobile devices can be a real pain, use a well known CA and the root cert will already be present in the device.

You won't be weakening security by using a well known CA as this is only one element in the overall security of the system.

One tip with the ACS server, before installing the new certificate, remove the old one, don't just install the new one on top of the old one as this can cause problems.

mabouchard · ‎12-19-2006

Can you tell me if it matters what the hostname is on the certificate? It seems like there would not be a hostname mismatch anyway.

andrew.brazier · ‎12-20-2006

The hostname on the cert shouldn't matter. Generate the CSR on the ACS using it's hostname and you should be OK.

mabouchard · ‎12-26-2006

There does not seem to be a way to deinstall the existing certificate within ACS admin. Can you tell me how to do this? The only option I see is to Install Certificate.

thanks for your help.

andrew.brazier · ‎12-27-2006

Use the install certificate option but without installing a new certificate : ) That removes the existing one, go through the process again to install the new cert.

ahmedalshami · ‎12-27-2006

Dear

i will use TLS-EAP security and install cert. in ACS and Client laptop but when i try to connect it take long time attempting to authentication then not connect in the ACS the report is EAP_TLS or PEAP authentication failed during SSL handshake

whats the problem please help

ahmedalshami · ‎12-25-2006

hi

can you tell me if the client can authenticate without the certificate if you disenable the certificate valid from wireless option on the laptop.

Vivek Santuka · ‎12-27-2006

Hi,

The "SSL Handshake failure" is seen when the client or server does not recognize the CA which signed the certificate presented to it.

You will need to install the Root Certificate of the CA in the AAA Server and the client's certificate storage (user's and machine's depending on the authentication).

If you uncheck "Validate Server Certificate" on the client then the client machine will not check the Signing authority of the Server's certificate. The client will be able to authenticate.

ahmedalshami · ‎12-28-2006

so whats the best way to configure TLS eap

and install the certificate in client and ACS SE

thanks in advance

Vivek Santuka · ‎01-04-2007

With EAP-TLS it is always better to have your Domain controller push certificates to the clients and use the enterprise CA to issue a certificate with ACS.

The clients will always trust the ACS since the same CA issued the certificates to both ends.