Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PEAP Happening with out certificate

How could peap authentication be successful with out server certificate on the client i mean its not installed or autoenrolled on the client which is an windows xp with sp2.

I am using ACS appliance which runs 4.0 and has a self-signed certificate in it.

i am believing no one could login to the network with out the certificate in the client either physically installed or auto enrolled but i couls able to login with out certificate.how could this be possible.

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: PEAP Happening with out certificate

For PEAP, the certificate is there for the client to validate that it is connecting to the right server; it is not there to support validating the client TO the server.

Verifying the validity of the server prevents / reduces the chance that someone is executing something like a "Man-in-the-Middle" attack.

If you are trying to verify the client to the server (server validates the client), then you need something like EAP-FAST or EAP-TLS ... EAP-TLS wold require a certificate on the client.

Choosing an auth/auth scheme will depend on who/what you are trying to protect, and where you judge the higher risk is most likely to occur.

In this case, the cert required by PEAP is there to protect the client against connecting to a malicious user who is acting as the authentic portal into a networking system (i.e., to steal credentials or information).

Good Luck

Scott

4 REPLIES
Green

Re: PEAP Happening with out certificate

As long as the client can verify the certificate that the server presents, it will be accepted (if it's valid).

Is there no cert on the server? or did you generate it with / from the cert you use on the ACS?

There is also a checkbox on many / most / all clients (ZWC and NIC utilities)to permit NOT checkig the server's certificate.

Good Luck

Scott

Community Member

Re: PEAP Happening with out certificate

i am using acs self-signed certificate means a server certicicate is there on the ACS and on the client i have not checked the check box of validate server certificate.if it works in this way like the validate server certificate check box is not checked and users could able to login by just providing a username and password, how this can be a secured way?

so peap can work with out a server certificate on the client.

Green

Re: PEAP Happening with out certificate

For PEAP, the certificate is there for the client to validate that it is connecting to the right server; it is not there to support validating the client TO the server.

Verifying the validity of the server prevents / reduces the chance that someone is executing something like a "Man-in-the-Middle" attack.

If you are trying to verify the client to the server (server validates the client), then you need something like EAP-FAST or EAP-TLS ... EAP-TLS wold require a certificate on the client.

Choosing an auth/auth scheme will depend on who/what you are trying to protect, and where you judge the higher risk is most likely to occur.

In this case, the cert required by PEAP is there to protect the client against connecting to a malicious user who is acting as the authentic portal into a networking system (i.e., to steal credentials or information).

Good Luck

Scott

Community Member

Re: PEAP Happening with out certificate

Ok Thanks

263
Views
0
Helpful
4
Replies
CreatePlease to create content