Someone should write a "Best Practices for PEAP deployments in EDUs" :-)
The Cisco recommendation in this case isn't great. There is no reason not to validate the server certificate since that's the fundamental defense of SSL in the first place. If you don't check the cert, you're opening up a big hole in your implementation. If you want to be featured at a blackhat conference, that's a good way to do it; you'd be demonstrating one of the main problem with PEAP implementations :-) Self-signed signed certs aren't a good way to deploy PEAP (or SSL VPNs) even as a test environment since the behavior on the client side is very different. Create a CSR for your server and get a cert from a trusted CA. It's not that difficult or costly. Jonn Martell, PMP, CWNE [EMAIL PROTECTED] [EMAIL PROTECTED] On 4/4/07, ktaillon <[EMAIL PROTECTED]> wrote:
We are trying to implement a WPA/TKIP Wireless authentication. We are using ACS Solution Engine which backs into AD for Authentication. We are currectly using WEP. We are looking for the least amount of client setup to make this change. Cisco has told us to use the PEAP MSCHAPv2 connection with a one-way cert, the cert or CA would only be installed on the ACS server and the client would uncheck the 'Validate Server Certificate' under the protected EAP properties. They also told us that the PEAP tunnel that is created would be comparable to having a cert on the client. This seems to be working fine in our tests and is very simple setup for the clients. Are any of you running your connection setup this way? Ken Taillon Network Support Specialist Information Technology Services Wesleyan University 860-685-5657 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
