Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Self Signed Certificate on ACS3.3

Hi,

I've been using Cisco ACS 3.3 to generate a self signed certificate, for PEAP-MSChapv2 authentication.

We are running MS Active Directory, any clue what's the easiest way to deploy the Certificate itself?

5 REPLIES

Re: Self Signed Certificate on ACS3.3

Hi Jorge,

As posted on the AAA fourm, self sign certs are pretty easy to deploy. You just need to create and install it on ACS.

For steps you can reffer to PEAP guide posted for you in AAA fourm.

Let me know if you face any specific issue during installation.

Good Luck,

Regards,

~JG

New Member

Re: Self Signed Certificate on ACS3.3

But to do PEAP-MSCHAPv2 don't I need to deploy it to all clients? Where should then the certificate be installed? just in the Cisco ACS Application?

Re: Self Signed Certificate on ACS3.3

Jorge,

No need to install it on Clients for PEAP. We need to install it only on ACS appliance.

Regards,

New Member

Re: Self Signed Certificate on ACS3.3

I'm a bit mixed up, why is then the certificate required for?

Re: Self Signed Certificate on ACS3.3

Jorge,

In PEAP it is not necessary to have CA installed to each client, it works without CA installed on the client but it is less secure.

In case of PEAP, certificates are used to validate the server. The use of root certificate on the client is only limited to validating the server. When we keep the

option 'validate server certificate 'unchecked on the client it does not try to validate

the server and the server gets authenticated without any validation.

However, when we keep the option checked then it explicitly checks for the root certificate on the client to validate the server.

Installing CA on the client would provide an additional layer of security, if someone that was trying to spoof your server would have to have created a server certificate from another Root CA unknown to your client. In this case, if the validate box is checked, then the

connection should fail because the client does not trust the Root CA that the server certificate being presented, was generated from. If the check box was not checked, then the client would accept encrypted communications from ANY server posing as a EAP authentication source.

Hope that helps !

Regards

199
Views
0
Helpful
5
Replies