cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
473
Views
0
Helpful
2
Replies

Trust Agent Problem: EAP-TLS or PEAP authentication failed

bert.lefevre
Level 1
Level 1

I'm currently experiencing problems with the installation of the ACS-certificate on the client. I'm using an external CA-certificate that is correctly installed on the ACS-server (see other topic).

Now the clients also needs the ACS-certificate to be added so that a EAP-tunnel can be established between the client (Trust Agent) and the ACS-server.

Notice that the CA Root-certificate is added on the client under "Trusted Root Certificates" so that shouldn't be the problem.

When I'm using the supplied tool "ctacert.exe" like this:

ctacert.exe /add "C:\cert.cer" /store "root"

...I always get the following error:

"Cisco Systems Trust Agent Certificate has encountered a problem and needs to close. We are sorry for the inconvenience."

The next step I tried is to install the certificate manually (by double-clicking it and choosing the option "Install certificate"). I've chosen to install it in "Trusted Root Certification Authorities/Local Computer" (the so called physical store). This was successful. However, the certificate, for some reason, isn't placed in "Trusted Root Certification Authorities", but in the "Other People" store.

When I'm starting up the client-computer I get prompted for the username several times, and sometimes I receive the following pop-up prompt:

"You have no certificate in your personal store to be used as credentials for authentication with network Cisco Trust Agent 802.1x ..."

There aren't any ACLs and stuff on the testrouters so that can't be the problem.

Any help is greatly appreciated.

2 Replies 2

bert.lefevre
Level 1
Level 1

I always get the message ""You have no certificate in your personal store to be used as credentials for authentication with network Cisco Trust Agent 802.1x wired client, access "

But, as the EAP-type is EAP-FAST, I thought that no certificates were needed on both sides to perform the tunnel? So I don't understand why he says that there isn't a personal certificate?

Looks like I found the solution myself:

My client is in a test Windows domain, but the ACS isn't yet configured for external user database use. So i'm only using the internal database.

If you're in the same test situation, make sure that under "Global Authentication Setup > EAP-FAST configuration" the option "Require client certificate for provisioning" is unmarked under "allow authenticated PAC provisioning". Otherwise, the EAP-FAST SSL-tunnel might not be established.

grtz

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: