Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PEAP and ACS certificate questions

I am in the process of testing PEAP in our environment using machine authentication with MSCHAPv2. I created a certificate on our internal CA and installed it on the ACS server. It works fine with XP workstations that are domain members. I would like to have the ability to authenticate Windows Mobile users using PEAP as well. It looks like the process to install root Certificates on these devices varies and is a royal pain. It seems like if I installed a certificate from a well known CA such as Entrust or Thawte that I would not have to deal with this issue on these handhelds. My question is whether by doing so if I am creating a security hole. It seems like I am not as the machine has to be in ACS or mapped to a AD group in ACS as well as the user needing to be in the appropriate security group as well. An advise appreciated.

11 REPLIES
Silver

Re: PEAP and ACS certificate questions

Just check out whether this document helps you. It is about PEAP and ACS configuration steps.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml

Re: PEAP and ACS certificate questions

You can save yourself a whole pile of trouble if you buy a cert from an online CA. Getting certs into mobile devices can be a real pain, use a well known CA and the root cert will already be present in the device.

You won't be weakening security by using a well known CA as this is only one element in the overall security of the system.

One tip with the ACS server, before installing the new certificate, remove the old one, don't just install the new one on top of the old one as this can cause problems.

New Member

Re: PEAP and ACS certificate questions

Can you tell me if it matters what the hostname is on the certificate? It seems like there would not be a hostname mismatch anyway.

Re: PEAP and ACS certificate questions

The hostname on the cert shouldn't matter. Generate the CSR on the ACS using it's hostname and you should be OK.

New Member

Re: PEAP and ACS certificate questions

There does not seem to be a way to deinstall the existing certificate within ACS admin. Can you tell me how to do this? The only option I see is to Install Certificate.

thanks for your help.

Re: PEAP and ACS certificate questions

Use the install certificate option but without installing a new certificate : ) That removes the existing one, go through the process again to install the new cert.

New Member

Re: PEAP and ACS certificate questions

Dear

i will use TLS-EAP security and install cert. in ACS and Client laptop but when i try to connect it take long time attempting to authentication then not connect in the ACS the report is EAP_TLS or PEAP authentication failed during SSL handshake

whats the problem please help

New Member

Re: PEAP and ACS certificate questions

hi

can you tell me if the client can authenticate without the certificate if you disenable the certificate valid from wireless option on the laptop.

Cisco Employee

Re: PEAP and ACS certificate questions

Hi,

The "SSL Handshake failure" is seen when the client or server does not recognize the CA which signed the certificate presented to it.

You will need to install the Root Certificate of the CA in the AAA Server and the client's certificate storage (user's and machine's depending on the authentication).

If you uncheck "Validate Server Certificate" on the client then the client machine will not check the Signing authority of the Server's certificate. The client will be able to authenticate.

New Member

Re: PEAP and ACS certificate questions

so whats the best way to configure TLS eap

and install the certificate in client and ACS SE

thanks in advance

Cisco Employee

Re: PEAP and ACS certificate questions

With EAP-TLS it is always better to have your Domain controller push certificates to the clients and use the enterprise CA to issue a certificate with ACS.

The clients will always trust the ACS since the same CA issued the certificates to both ends.

255
Views
5
Helpful
11
Replies