PEAP set up

Unanswered Question
Aug 20th, 2007

Does anybody have experience setting up PEAR with ACS in Windows environment? I really got headache.

I used CA services in Windows issue 2 user certificates to a user account and a computer (XP with SP2). Then I issued a certificate to ACS. I also installed the CA root to ACS. I think I did everything following Cisco document. However, I got "EAP-TLS or PEAP authentication failed during SSL handshake"

in failed attempts log and

"PEAP: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:certificate unknown)"in CSAuth logs.

Have worked on this issue for 2 weeks but no clue at all. Please help me out.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jagdeep Gambhir Tue, 08/21/2007 - 07:47

Sky,

SSL handshake points out to certificate issue. Please uncheck validate server cert on suplicant and then try to connect.

Find attached the peap guide

Regards,

JG

Attachment: 
e.wahl Wed, 08/22/2007 - 01:21

Hi

I got the same problem (ACS 4.1)

Unchecking validate server cert makes it working.

But this way clients will accept any server certificate, i.e. man in the middle will be possible !

Is there a way to solve the probleme ?

Premdeep Banga Wed, 08/22/2007 - 04:22

I don?t think MIM is possible. Even if you do not check validate server certificate. In PEAP, still supplicant uses the certificate offered by Server as to create an SSL tunnel.

Validating server certificate is just an additional security, where you ensure that you are connecting to correct Radius server, if you have many in your network...

Regards,

Prem

Premdeep Banga Wed, 08/22/2007 - 04:25

And to get correct the SSL handshake,

Ensure that we have *also* installed the root certificate, from "ACS Certification Authority Setup" and checked that root certificate from where ACS's server certificate was issued in "Edit Certificate Trust List"

Regards,

Prem

Actions

This Discussion

 

 

Trending Topics - Security & Network