Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
0
Helpful
4
Replies

PEAP /MSCHAP V2

satish_chowdhary
Level 1
Level 1

‎01-10-2007 07:19 PM - edited ‎07-03-2021 01:28 PM

Hi All, i have PEAP with MSCHAPV2 setup, my windows supplicant can authenticate to ACS with our without the Validate certificate tick enabled.

I read that certificates are optional with PEAP and mandatory in EAP-TLS

Can some pl confirm the above.

Thanks in adv

Labels:
0 Helpful
4 Replies 4

Rob Huffman
Hall of Fame
Hall of Fame

‎01-11-2007 06:09 AM

Hi Satish,

Here is a good doc that confirms this (Look at Chart#1);

RADIUS server certificate required:

Cisco LEAP - No

Cisco EAP-FAST- No

Microsoft PEAP/MS-CHAPv2- Yes

Cisco PEAP (EAP-GTC)- Yes

Microsoft EAP-TLS- Yes

--------------------------------------

Client certificate required:

Cisco LEAP - No

Cisco EAP-FAST- No

Microsoft PEAP/MS-CHAPv2- No

Cisco PEAP (EAP-GTC)- No

Microsoft EAP-TLS- Yes

---------------------------------------

From this good doc;

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_configuration_guide09186a008046dc81.html

Hope this helps!

Rob

Please remember to rate helpful posts.....

0 Helpful

Scott Pickles
Level 4
Level 4

‎01-15-2007 11:16 AM

This is not entirely correct. PEAP does require a certificate, but on the server side only. The clients do not require a cert. In EAP-TLS, however, the client does need to verify the server cert. You can GOOGLE your question or try Microsoft's TechNet. There is a good article on setting up PEAP from scratch with Win2k3 server, look on TechNet for it. Also, look at the chart found here:

http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html -

you will come across the part where you create a server-side cert. You will then be taken through the client config that shows validation of the cert is not required.

Hope that helps.

Scott

0 Helpful

satish_chowdhary
Level 1
Level 1
In response to Scott Pickles

‎01-15-2007 03:04 PM

Hi Scott, i am with you i installed a Cert on our ACS and that bit is fine, what i dont get is does the windows supplicant need a cert installed on the client machine ??cuz the tick for validate certificate is of no use, as the clients can connect with or without it

0 Helpful

Scott Pickles
Level 4
Level 4
In response to satish_chowdhary

‎01-19-2007 11:02 AM

Satish -

You are correct in that the certificate is not needed on the client. Just uncheck the "Validate Server..." part. As for it still not working without validating server, have you checked your RADIUS/IAS logs? Are you seeing any logged attempts? In addition, is your AP set up as a RADIUS client under IAS with correct shared secret? You also need to configure your SSID with the following:

Open with EAP

Network with No Addition

Encryption Mandatory WPA

Then, under the encryption manager, for Cipher select TKIP.

Be sure and also define a default EAP server, which is your RADIUS/IAS server. Make certain your shared secret keys are correct.

You can obtain the following document which walks you through a lot of this stuff on a Win2K3 Server at the following address:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en

Hope this helps.

Regards,

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card