08-20-2007 07:58 PM - edited 07-03-2021 02:30 PM
Does anybody have experience setting up PEAR with ACS in Windows environment? I really got headache.
I used CA services in Windows issue 2 user certificates to a user account and a computer (XP with SP2). Then I issued a certificate to ACS. I also installed the CA root to ACS. I think I did everything following Cisco document. However, I got "EAP-TLS or PEAP authentication failed during SSL handshake"
in failed attempts log and
"PEAP: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:certificate unknown)"in CSAuth logs.
Have worked on this issue for 2 weeks but no clue at all. Please help me out.
08-21-2007 07:47 AM
08-22-2007 01:21 AM
Hi
I got the same problem (ACS 4.1)
Unchecking validate server cert makes it working.
But this way clients will accept any server certificate, i.e. man in the middle will be possible !
Is there a way to solve the probleme ?
08-22-2007 04:22 AM
I don?t think MIM is possible. Even if you do not check validate server certificate. In PEAP, still supplicant uses the certificate offered by Server as to create an SSL tunnel.
Validating server certificate is just an additional security, where you ensure that you are connecting to correct Radius server, if you have many in your network...
Regards,
Prem
08-22-2007 04:25 AM
And to get correct the SSL handshake,
Ensure that we have *also* installed the root certificate, from "ACS Certification Authority Setup" and checked that root certificate from where ACS's server certificate was issued in "Edit Certificate Trust List"
Regards,
Prem
08-23-2007 10:35 AM
Thanks man!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: