PEAP set up

Unanswered Question
Aug 20th, 2007
User Badges:

Does anybody have experience setting up PEAR with ACS in Windows environment? I really got headache.

I used CA services in Windows issue 2 user certificates to a user account and a computer (XP with SP2). Then I issued a certificate to ACS. I also installed the CA root to ACS. I think I did everything following Cisco document. However, I got "EAP-TLS or PEAP authentication failed during SSL handshake"

in failed attempts log and

"PEAP: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:certificate unknown)"in CSAuth logs.

Have worked on this issue for 2 weeks but no clue at all. Please help me out.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jagdeep Gambhir Tue, 08/21/2007 - 07:47
User Badges:
  • Red, 2250 points or more


SSL handshake points out to certificate issue. Please uncheck validate server cert on suplicant and then try to connect.

Find attached the peap guide



e.wahl Wed, 08/22/2007 - 01:21
User Badges:


I got the same problem (ACS 4.1)

Unchecking validate server cert makes it working.

But this way clients will accept any server certificate, i.e. man in the middle will be possible !

Is there a way to solve the probleme ?

Premdeep Banga Wed, 08/22/2007 - 04:22
User Badges:
  • Gold, 750 points or more

I don?t think MIM is possible. Even if you do not check validate server certificate. In PEAP, still supplicant uses the certificate offered by Server as to create an SSL tunnel.

Validating server certificate is just an additional security, where you ensure that you are connecting to correct Radius server, if you have many in your network...



Premdeep Banga Wed, 08/22/2007 - 04:25
User Badges:
  • Gold, 750 points or more

And to get correct the SSL handshake,

Ensure that we have *also* installed the root certificate, from "ACS Certification Authority Setup" and checked that root certificate from where ACS's server certificate was issued in "Edit Certificate Trust List"




This Discussion



Trending Topics - Security & Network