I am in the process of testing PEAP in our environment using machine authentication with MSCHAPv2. I created a certificate on our internal CA and installed it on the ACS server. It works fine with XP workstations that are domain members. I would like to have the ability to authenticate Windows Mobile users using PEAP as well. It looks like the process to install root Certificates on these devices varies and is a royal pain. It seems like if I installed a certificate from a well known CA such as Entrust or Thawte that I would not have to deal with this issue on these handhelds. My question is whether by doing so if I am creating a security hole. It seems like I am not as the machine has to be in ACS or mapped to a AD group in ACS as well as the user needing to be in the appropriate security group as well. An advise appreciated.
Just check out whether this document helps you. It is about PEAP and ACS configuration steps.
You can save yourself a whole pile of trouble if you buy a cert from an online CA. Getting certs into mobile devices can be a real pain, use a well known CA and the root cert will already be present in the device.
You won't be weakening security by using a well known CA as this is only one element in the overall security of the system.
One tip with the ACS server, before installing the new certificate, remove the old one, don't just install the new one on top of the old one as this can cause problems.
Can you tell me if it matters what the hostname is on the certificate? It seems like there would not be a hostname mismatch anyway.
There does not seem to be a way to deinstall the existing certificate within ACS admin. Can you tell me how to do this? The only option I see is to Install Certificate.
thanks for your help.
Use the install certificate option but without installing a new certificate : ) That removes the existing one, go through the process again to install the new cert.
i will use TLS-EAP security and install cert. in ACS and Client laptop but when i try to connect it take long time attempting to authentication then not connect in the ACS the report is EAP_TLS or PEAP authentication failed during SSL handshake
whats the problem please help
can you tell me if the client can authenticate without the certificate if you disenable the certificate valid from wireless option on the laptop.
The "SSL Handshake failure" is seen when the client or server does not recognize the CA which signed the certificate presented to it.
You will need to install the Root Certificate of the CA in the AAA Server and the client's certificate storage (user's and machine's depending on the authentication).
If you uncheck "Validate Server Certificate" on the client then the client machine will not check the Signing authority of the Server's certificate. The client will be able to authenticate.
With EAP-TLS it is always better to have your Domain controller push certificates to the clients and use the enterprise CA to issue a certificate with ACS.
The clients will always trust the ACS since the same CA issued the certificates to both ends.