ACS SE 4.1 + AD + PEAP

Unanswered Question
May 27th, 2008

Hi All,

Need help.

I've installed ACS SE 4.1 for the PEAP authentication with Microsoft AD, but it failed with the following message in the ACS....EAP-TLS or PEAP authentication failed during SSL handshake

The client is not using any certs.

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Tue, 05/27/2008 - 17:38

The reason you are getting this is either the certificate is not installed correctly on the ACS or you have validate server certificate on the client side, preventing the certificate to be used. Try to uncheck that in the client side.

naive.naive Tue, 05/27/2008 - 17:56

the client side is unchecked for the certificate, and i've reinstall the cert on the ACS server, but still getting the same error message.

any other clue?

Scott Fella Tue, 05/27/2008 - 18:02

What type of cert are you using? Also verify that it is installed in the computer account personal certificate store. It is definitely a certificate issue.

naive.naive Tue, 05/27/2008 - 18:06

there is an option of not using certs for peap, right? i do not want to use the cert for the authentication, but the cert is installed (generated) in the ACS. client side is disabled for getting the certs from the ACS..

hope this will clear your doubt..

Scott Fella Tue, 05/27/2008 - 18:09

PEAP like any EAP type, needs a certificate installed. I have tried to generate a certificate from ACS, but never got that to work. I got the same SSL error you got. Users have to obtain that cert form the ACS in order to continue with the authentication process.

andrew.brazier@... Fri, 05/30/2008 - 03:16

The easiest thing to so is to obtain a cert for the ACS SE from an online CA. The one I always recommend is www.rapidssl.com as they are reasonably cheap and the whole order process takes about half an hour to work through. If you generate the CSR on the ACS, obtain your cert and install it you can leave the check boxes checked on your clients as the Rapidssl root cert is built into Windows/IE.

The only thing to be careful of is that before you generate the CSR, remove the existing self-signed cert from the ACS SE. Failure to do so can sometimes lead to problems.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode