I'm trying to establish a wireless setup with 113x APs, ACS 4.0, using built-in XP support for PEAP using MSCHAPv2.
Initially users are defined locally in ACS, but longterm is linking user groups with MS AD domains.
My ACS has a RapidSLL (Geotrust) trial certificate installed.
For some obnoxious reason my XP client doesn't seem to trust the ACS server's certificate and the SSL/TLS tunnel is never established:
In the AUTH log the ACS logs:
"E 0361 3804 EAP: PEAP: ProcessPeapResponse: user probably didn't trust the server certificate"
In failed attempts similarly:
"EAP-TLS or PEAP authentication failed during SSL handshake"
I've verfied with an Ethereal trace on the ACS server, that it is indeed the client which sends an EAP alert (type 21 = decryption failed) following which the server rejects the Radius authentication.
My trace also shows that the correct server certificate is transferred in the EAP exchange.
I tried shifting the ACS to HTTPS mode and accessed it from the client. Certificate verified.
How can I look further into why the certificate apparently isn't recognized by the client?