Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1140
Views
0
Helpful
2
Replies

Peap + ACS 4.2 (Self-Signed Certificates)

Go to solution
colmgrier
Level 1
Level 1

‎04-02-2010 09:20 AM - edited ‎03-04-2019 08:00 AM

Do not have a Microsoft CA available on site, so I  will need to generate a self-signed certificate on ACS 4.2.

When I generate this certificate do I need to install the certificate on all wireless client (domain) laptops. Also do I need to install on AD server?

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t21

Please advise.

Colm

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-02-2010 12:43 PM 

colmgrier wrote:
Do not have a Microsoft CA available on site, so I  will need to generate a self-signed certificate on ACS 4.2.
When I generate this certificate do I need to install the certificate on all wireless client (domain) laptops. Also do I need to install on AD server?
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t21
Please advise.
Colm

Colm

You have 2 choices -

1) deselect the "Validate Server Cerificate" on the client and then you will not need to install the certificate on the client. However this is a security risk as you are now vulnerable to man in the middle attacks

or

2) you need to install the root certificate for the ACS onto the wireless client. You can do this manually or you can use Group Policy to do it but please don't ask me how as i always just left this to the server guys   You would then leave "Validate Server Cerificate" selected and you are not vulnerable to man in the middle attacks.

You don't need to install it on the AD.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎04-02-2010 12:43 PM 

colmgrier wrote:
Do not have a Microsoft CA available on site, so I  will need to generate a self-signed certificate on ACS 4.2.
When I generate this certificate do I need to install the certificate on all wireless client (domain) laptops. Also do I need to install on AD server?
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t21
Please advise.
Colm

Colm

You have 2 choices -

1) deselect the "Validate Server Cerificate" on the client and then you will not need to install the certificate on the client. However this is a security risk as you are now vulnerable to man in the middle attacks

or

2) you need to install the root certificate for the ACS onto the wireless client. You can do this manually or you can use Group Policy to do it but please don't ask me how as i always just left this to the server guys   You would then leave "Validate Server Cerificate" selected and you are not vulnerable to man in the middle attacks.

You don't need to install it on the AD.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

0 Helpful

Go to solution
colmgrier
Level 1
Level 1
In response to Jon Marshall

‎04-07-2010 03:22 PM

Thanks Jon. Got this working.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card