Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PEAP-MSChap v2 & ACS 4.0& Windows 2003

Following the below guide for Peap-mschap v2 I get the following error on the ACS "EAP-TLS or PEAP authentication failed during SSL handshake".

When I disable "Validate Server Certificate" on Win XP controlled wireless card I can connect straight away. What is the advantage/disadvantage with unticking "Validate Server Certificate"

Please advise

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: PEAP-MSChap v2 & ACS 4.0& Windows 2003

First find out what encryption these devices support. I believe they do support WPA/WPA2 w/ PEAP. Devices don't need to be on the domain to work with this type of encryption.

-Scott
*** Please rate helpful posts ***
7 REPLIES
Hall of Fame Super Silver

Re: PEAP-MSChap v2 & ACS 4.0& Windows 2003

When you have "Validate Server Certificate" you need to check which cert you want validated. If it isn't there, then you have to add it. Basically you are telling the utility to verify these checked certs.

Here are some links that will explain it better.

http://support.microsoft.com/kb/814394

http://www.velocityreviews.com/forums/t54654-validate-server-certificate.html

-Scott
*** Please rate helpful posts ***
New Member

Re: PEAP-MSChap v2 & ACS 4.0& Windows 2003

Ok still bit confused

Q.1 Using PEAP-mschapv2 and not selecting "Validate Server Certificate" i can still connect to the WLAN,is this is a secure connect (encrypted).

Q.2 I'm using win 2003 standard edition to create the CA, but according to microsoft the minimun certificate is issued by an enterprise certification authority (CA) So I need win 2003 Enterprise edition for the CA??

Hall of Fame Super Silver

Re: PEAP-MSChap v2 & ACS 4.0& Windows 2003

Yes.... not selecting the validate server certificate is still being secure... the certificate is to encrypt the rest of the authentication process. As for the CA issues, you need Enterprise CA to issues for the certificate that will be installed in your radius server.

-Scott
*** Please rate helpful posts ***
Silver

Re: PEAP-MSChap v2 & ACS 4.0& Windows 2003

The PEAP-MSCHAPv2 auth process is only one way: the server validates the clients user credentials, the client does not. If you don't require the client to validate the server ca cert, then you can't be sure that the 802.1x auth packets you are receiving have been signed by your server.

The scenerio is that you can bring your laptop to Starbucks and I can be there with a 'honeypot' AP wireless card. Your laptop automatically tries to connect to your corporate SSID, my laptop says 'here you are', you send 802.1x credentials, my laptop says 'yeah, whatever', you auth to my laptop, get an IP address, and I issue attacks against your open shares or vulnerabilies on your laptop (which you *DO* have).

Moral of the story, *always* select 'validate server certificate' on the client when using one-way trusted PEAP-MSCHAPv2.

And so we are on the same page, *any* certificate authority can create the cert, it does not need to be the domain controller; that is just a more complicated scenerio because you need MS-IAS or Cisco-ACS to use that cert and MS-AD needs to trust that cert. I bring this up for completeness.

Hall of Fame Super Silver

Re: PEAP-MSChap v2 & ACS 4.0& Windows 2003

to issue the cert you need a MS Enterprise server... doesn't need to be your domain controller. you do need a radius server and it can or doesn't have to tie into ad. WLC has local eap that you can also use if you have a wlc.

-Scott
*** Please rate helpful posts ***
New Member

Re: PEAP-MSChap v2 & ACS 4.0& Windows 2003

Thanks all for the help.

I also need to add win CE and nokia e-series phone to the WLAN. Will PEAP-mschapv2 work with these devices, I think not because devices need to on the domain??

What solution is best for Window Ce and nokia e-series to connect to the WLAN?

Hall of Fame Super Silver

Re: PEAP-MSChap v2 & ACS 4.0& Windows 2003

First find out what encryption these devices support. I believe they do support WPA/WPA2 w/ PEAP. Devices don't need to be on the domain to work with this type of encryption.

-Scott
*** Please rate helpful posts ***
817
Views
0
Helpful
7
Replies