Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
992
Views
10
Helpful
5
Replies

PEAP set up

sky_zhang
Level 1
Level 1

‎08-20-2007 07:58 PM - edited ‎07-03-2021 02:30 PM

Does anybody have experience setting up PEAR with ACS in Windows environment? I really got headache.

I used CA services in Windows issue 2 user certificates to a user account and a computer (XP with SP2). Then I issued a certificate to ACS. I also installed the CA root to ACS. I think I did everything following Cisco document. However, I got "EAP-TLS or PEAP authentication failed during SSL handshake"

in failed attempts log and

"PEAP: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:certificate unknown)"in CSAuth logs.

Have worked on this issue for 2 weeks but no clue at all. Please help me out.

Labels:
0 Helpful
5 Replies 5

Jagdeep Gambhir
Level 10
Level 10

‎08-21-2007 07:47 AM

Sky,

SSL handshake points out to certificate issue. Please uncheck validate server cert on suplicant and then try to connect.

Find attached the peap guide

Regards,

JG

Preview file
147 KB

e.wahl
Level 1
Level 1
In response to Jagdeep Gambhir

‎08-22-2007 01:21 AM

Hi

I got the same problem (ACS 4.1)

Unchecking validate server cert makes it working.

But this way clients will accept any server certificate, i.e. man in the middle will be possible !

Is there a way to solve the probleme ?

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to e.wahl

‎08-22-2007 04:22 AM

I don?t think MIM is possible. Even if you do not check validate server certificate. In PEAP, still supplicant uses the certificate offered by Server as to create an SSL tunnel.

Validating server certificate is just an additional security, where you ensure that you are connecting to correct Radius server, if you have many in your network...

Regards,

Prem

0 Helpful

Premdeep Banga
Level 7
Level 7

‎08-22-2007 04:25 AM

And to get correct the SSL handshake,

Ensure that we have *also* installed the root certificate, from "ACS Certification Authority Setup" and checked that root certificate from where ACS's server certificate was issued in "Edit Certificate Trust List"

Regards,

Prem

sky_zhang
Level 1
Level 1
In response to Premdeep Banga

‎08-23-2007 10:35 AM

Thanks man!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card