01-10-2007 07:19 PM - edited 07-03-2021 01:28 PM
Hi All, i have PEAP with MSCHAPV2 setup, my windows supplicant can authenticate to ACS with our without the Validate certificate tick enabled.
I read that certificates are optional with PEAP and mandatory in EAP-TLS
Can some pl confirm the above.
Thanks in adv
01-11-2007 06:09 AM
Hi Satish,
Here is a good doc that confirms this (Look at Chart#1);
RADIUS server certificate required:
Cisco LEAP - No
Cisco EAP-FAST- No
Microsoft PEAP/MS-CHAPv2- Yes
Cisco PEAP (EAP-GTC)- Yes
Microsoft EAP-TLS- Yes
--------------------------------------
Client certificate required:
Cisco LEAP - No
Cisco EAP-FAST- No
Microsoft PEAP/MS-CHAPv2- No
Cisco PEAP (EAP-GTC)- No
Microsoft EAP-TLS- Yes
---------------------------------------
From this good doc;
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_configuration_guide09186a008046dc81.html
Hope this helps!
Rob
Please remember to rate helpful posts.....
01-15-2007 11:16 AM
This is not entirely correct. PEAP does require a certificate, but on the server side only. The clients do not require a cert. In EAP-TLS, however, the client does need to verify the server cert. You can GOOGLE your question or try Microsoft's TechNet. There is a good article on setting up PEAP from scratch with Win2k3 server, look on TechNet for it. Also, look at the chart found here:
http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html -
you will come across the part where you create a server-side cert. You will then be taken through the client config that shows validation of the cert is not required.
Hope that helps.
Scott
01-15-2007 03:04 PM
Hi Scott, i am with you i installed a Cert on our ACS and that bit is fine, what i dont get is does the windows supplicant need a cert installed on the client machine ??cuz the tick for validate certificate is of no use, as the clients can connect with or without it
01-19-2007 11:02 AM
Satish -
You are correct in that the certificate is not needed on the client. Just uncheck the "Validate Server..." part. As for it still not working without validating server, have you checked your RADIUS/IAS logs? Are you seeing any logged attempts? In addition, is your AP set up as a RADIUS client under IAS with correct shared secret? You also need to configure your SSID with the following:
Open with EAP
Network with No Addition
Encryption Mandatory WPA
Then, under the encryption manager, for Cipher select TKIP.
Be sure and also define a default EAP server, which is your RADIUS/IAS server. Make certain your shared secret keys are correct.
You can obtain the following document which walks you through a lot of this stuff on a Win2K3 Server at the following address:
Hope this helps.
Regards,
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide