ACS 4.0 WLAN PEAP - client failing to trust ACS certificate

ERIK LAWAETZ · ‎03-23-2007

I'm trying to establish a wireless setup with 113x APs, ACS 4.0, using built-in XP support for PEAP using MSCHAPv2.

Initially users are defined locally in ACS, but longterm is linking user groups with MS AD domains.

My ACS has a RapidSLL (Geotrust) trial certificate installed.

For some obnoxious reason my XP client doesn't seem to trust the ACS server's certificate and the SSL/TLS tunnel is never established:

In the AUTH log the ACS logs:

"E 0361 3804 EAP: PEAP: ProcessPeapResponse: user probably didn't trust the server certificate"

In failed attempts similarly:

"EAP-TLS or PEAP authentication failed during SSL handshake"

I've verfied with an Ethereal trace on the ACS server, that it is indeed the client which sends an EAP alert (type 21 = decryption failed) following which the server rejects the Radius authentication.

My trace also shows that the correct server certificate is transferred in the EAP exchange.

I tried shifting the ACS to HTTPS mode and accessed it from the client. Certificate verified.

How can I look further into why the certificate apparently isn't recognized by the client?

Mehdi_ab · ‎03-23-2007

Do your clients trust the root ca for rapidssl? If you're using AD, you can define a PKI policy to have them automatically trust the root ca when they logon to the domain...

Vivek Santuka · ‎03-26-2007

Hi,

The client needs to trust the CA which signed ACS's certificate.

We need to either install the root certificate of the CA on the client or uncheck 'validate server certificate' on the client's Lan properties.

Regards,

Vivek