Cloudpath Administrative Console  |     Logout

PEAP Configuration
Return to Main Menu
Name:
 Validate Server Certificate
Description:
 Controls whether or not the client will validate the server's certificate.
Notes:
 A server certificate is 'valid' if it signed by a trusted root certificate authority (CA) installed on the client. The list of trusted CAs is displayed in the 'Trusted Root Certification Authorities' box. Normally, server certificates signed by a commercial CA will be 'valid' because most commercial CAs are preinstalled as trusted roots. However, if you have a self-signed certificate, it will not be trusted by default. In this case, you have three options:  
  • Pay a commercial CA (such as Thawte) to sign your certificate
    •   
  • Install your certificate as a trusted root CA on the client
    •   
  • Disable server validation using this setting
    		•
    Values:
    		 Checked
      If RADIUS server provides a certificate not in the client's trusted CA list, the client will abandon its authentication attempt. This ensures that the client only provides its credentials to servers who are adequately identifiable.
    Unchecked
      Client will authenticate regardless of the server's certificate.
    Default Value:
    		 Checked
    Recommended Setting:
    		 During lab testing, it is acceptable to set this to unchecked while using a self-signed certificate. For production deployments, you should have this setting checked.
    Cloudpath Help :
    		 Cloudpath can detect the status of server certificate validation within the PEAP configuration.

    Supported settings include:
    Disabled - Default. When selected, the server certificate is not validated.
    Enabled - When selected, server certificate validation is performed.

    Cloudpath is able to auto remediate this setting.
    By default, Windows XP will enable this for a new SSID.

    Server certificate validation is intended to ensure that the client attempts to authenticate only to known authentication servers. Without validation, there is a concern that the client will attempt to authenticate to a rogue authentication server and the server will then have a hash of the user's password, allowing them to launch an offline dictionary attack.
     
    		 
             



      
     


    Copyright 2006-2017 Ruckus Wireless Inc.
    Use of this website signifies your agreement to the Terms & Conditions