Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Peap + ACS 4.2 (Self-Signed Certificates)

Do not have a Microsoft CA available on site, so I  will need to generate a self-signed certificate on ACS 4.2.

When I generate this certificate do I need to install the certificate on all wireless client (domain) laptops. Also do I need to install on AD server?

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t21

Please advise.

Colm

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Peap + ACS 4.2 (Self-Signed Certificates)

colmgrier wrote:

Do not have a Microsoft CA available on site, so I  will need to generate a self-signed certificate on ACS 4.2.

When I generate this certificate do I need to install the certificate on all wireless client (domain) laptops. Also do I need to install on AD server?

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t21

Please advise.

Colm

Colm

You have 2 choices -

1) deselect the "Validate Server Cerificate" on the client and then you will not need to install the certificate on the client. However this is a security risk as you are now vulnerable to man in the middle attacks

or

2) you need to install the root certificate for the ACS onto the wireless client. You can do this manually or you can use Group Policy to do it but please don't ask me how as i always just left this to the server guys   You would then leave "Validate Server Cerificate" selected and you are not vulnerable to man in the middle attacks.

You don't need to install it on the AD.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

2 REPLIES
Hall of Fame Super Blue

Re: Peap + ACS 4.2 (Self-Signed Certificates)

colmgrier wrote:

Do not have a Microsoft CA available on site, so I  will need to generate a self-signed certificate on ACS 4.2.

When I generate this certificate do I need to install the certificate on all wireless client (domain) laptops. Also do I need to install on AD server?

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t21

Please advise.

Colm

Colm

You have 2 choices -

1) deselect the "Validate Server Cerificate" on the client and then you will not need to install the certificate on the client. However this is a security risk as you are now vulnerable to man in the middle attacks

or

2) you need to install the root certificate for the ACS onto the wireless client. You can do this manually or you can use Group Policy to do it but please don't ask me how as i always just left this to the server guys   You would then leave "Validate Server Cerificate" selected and you are not vulnerable to man in the middle attacks.

You don't need to install it on the AD.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

New Member

Re: Peap + ACS 4.2 (Self-Signed Certificates)

Thanks Jon. Got this working.

876
Views
0
Helpful
2
Replies