06-01-2007 12:12 AM - edited 03-10-2019 03:11 PM
Hi all,
I have configured a ACS Server 4.1 with a certificate from a internal Novell CA. Authentication to the ACS Server works fine and the Group Mappings works also without troubles.
The customer now wants to use eap-tls in the wlan configuration. Authentication with username and password works fine. If I activate the validate server certificate in the wlan configuration settings from windows xp, than I haven't access to the network. I get an error message on the client and in the acs log I see an error with eap-tls ssl handshake !?!
Are there any problems with novell ca and novell certificates???
Any ideas???
Thanks for help
Rene
Solved! Go to Solution.
06-04-2007 01:44 PM
Hi,
Do mark this thread as resolved, so that others can benefit.
Thanks,
Prem
06-01-2007 04:27 PM
Hi,
Please check this,
EAP-TLS Limitations
EAP-TLS Limitations
The limitations in the ACS implementation of EAP-TLS are:
?Server and CA certificate file format?If you install the ACS server and CA certificates from files, rather than from certificate storage, server and CA certificate files must be in Base64-encoded X.509 format or DER-encoded binary X.509 format.
?LDAP attribute for binary comparison?If you configure ACS to perform binary comparison of user certificates, the user certificate must be stored in the Active Directory or an LDAP server by using a binary format. Also, the attribute storing the certificate must be named usercertificate.
?Windows server type?If you want to use Active Directory to authenticate users with EAP-TLS when ACS runs on a member server, additional configuration is required.
Apart from that, make sure that you have installed Novell CA Root certificate from,
System Configuration > ACS Certificate Setup > ACS Certification Authority Setup,
Then check that installed Root Certificate from,
"Edit Certificate Trust List"
Regards,
Prem
06-03-2007 11:25 PM
hi,
thanks for the answer...
I have no active directory only a novell nds and a novell ca. I have tested this without a user certificate on the client. We only want to see, if the verification of the server certificate works....in this case I got the error message with the eap-tls ssl handshake failure...
The file formats for the server are OK.
Any other ideas??
Thanks for help
rene
06-04-2007 04:45 AM
Hi,
If you got this setup working without Client cert, then that means that your PEAP (EAP-GTC), was working at that time.
Now to look into greater detail, you can check the authentication logs on ACS server.
Increase the logging level of ACS from,
System Configuration > Service Control > Level of Detail > Full > Restart.
Then do one test authentication with client cert (EAP-TLS)
Then go to,
open Auth.log,
Take the time stamp from the Failed attempts, and see the exact error message why it was rejected,
Most probable cause for this, I suspect is, something wrong with the client cert or something in that direction.
Regards,
Prem
06-04-2007 04:49 AM
hi,
ok thanks for the information, I have to call the customer to do some testing...
I will try this on 3:30 pm central european time.
I will write some new informations later.
thanks for your messages.
rene
06-04-2007 05:42 AM
06-04-2007 06:33 AM
06-04-2007 01:43 PM
Hi Rene,
Glad it worked!
Keep playin.
Regards,
Prem
06-04-2007 01:44 PM
Hi,
Do mark this thread as resolved, so that others can benefit.
Thanks,
Prem
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: