Trust Agent Problem: EAP-TLS or PEAP authentication failed

Unanswered Question
Oct 2nd, 2007
User Badges:

I'm currently experiencing problems with the installation of the ACS-certificate on the client. I'm using an external CA-certificate that is correctly installed on the ACS-server (see other topic).


Now the clients also needs the ACS-certificate to be added so that a EAP-tunnel can be established between the client (Trust Agent) and the ACS-server.


Notice that the CA Root-certificate is added on the client under "Trusted Root Certificates" so that shouldn't be the problem.


When I'm using the supplied tool "ctacert.exe" like this:


ctacert.exe /add "C:\cert.cer" /store "root"


...I always get the following error:


"Cisco Systems Trust Agent Certificate has encountered a problem and needs to close. We are sorry for the inconvenience."


The next step I tried is to install the certificate manually (by double-clicking it and choosing the option "Install certificate"). I've chosen to install it in "Trusted Root Certification Authorities/Local Computer" (the so called physical store). This was successful. However, the certificate, for some reason, isn't placed in "Trusted Root Certification Authorities", but in the "Other People" store.


When I'm starting up the client-computer I get prompted for the username several times, and sometimes I receive the following pop-up prompt:


"You have no certificate in your personal store to be used as credentials for authentication with network Cisco Trust Agent 802.1x ..."


There aren't any ACLs and stuff on the testrouters so that can't be the problem.


Any help is greatly appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bert.lefevre Wed, 10/03/2007 - 02:04
User Badges:

I always get the message ""You have no certificate in your personal store to be used as credentials for authentication with network Cisco Trust Agent 802.1x wired client, access "


But, as the EAP-type is EAP-FAST, I thought that no certificates were needed on both sides to perform the tunnel? So I don't understand why he says that there isn't a personal certificate?

bert.lefevre Wed, 10/03/2007 - 06:50
User Badges:

Looks like I found the solution myself:


My client is in a test Windows domain, but the ACS isn't yet configured for external user database use. So i'm only using the internal database.


If you're in the same test situation, make sure that under "Global Authentication Setup > EAP-FAST configuration" the option "Require client certificate for provisioning" is unmarked under "allow authenticated PAC provisioning". Otherwise, the EAP-FAST SSL-tunnel might not be established.


grtz

Actions

This Discussion