SSL problems with VeriSign certificates

Unanswered Question
Jun 30th, 2008

I'm running an WLAN with a pair of ACS3.3(2) servers and 1200 series APs. I use AES encryption and Peap MS-chap authentication.

Everything was running fine until I renewed the SSL cert for the two servers. After the new cert was installed a large number of clients could not connect. A workaround was to check the option "Allow intermediate certificates" on the client. Some clients don't even have this option and I didn't want to have to reconfigure all the clients (in the 1000s) unless absolutely necessary as most don't have SMS yet. I ended up installing a certificate without an intermediate CA from RapidSSL and it works as before.

I had a TAC case open but this only came to the conclusion that the new certificate was the problem.

Has anyone else got this working or is this unsupported?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Scott Fella Tue, 07/01/2008 - 03:26

The problem is that Verisign gave you a chained cert. They will stop issuing root unchained certs in the end of September. So your best bet is to go with RapidSSL or if you really want a Verisign cert, is to call them and request one. They will tell you that they will no longer support it in the future.

The WLC doesn't support any chained certs only root CA unchained certs.

Hope this helps.

patrickdonlon Mon, 07/07/2008 - 00:12

I got in touch with Verisign and have now been issued with unchained certs. They also said end of Sept is when they stop doing this.

I wonder if Cisco is working on integrating this into the WLC?

Scott Fella Mon, 07/07/2008 - 03:10

The only thing with this is that the wlc has to be able to look up and verify the chained cert. So far, I haven't heard that they will support this since you can get unchained root certs.

patrickdonlon Tue, 07/08/2008 - 11:56

I have solved one problem and it seems created even more. The XP clients in more than one country can't authenticate unless they uncheck the validate certificate option.

Does this mean the cert is not correctly installed on the ACS server?

I've been sent screen shots of the client config and they would accept a cert when it was configured. Is this normal or is again a server issue?

Scott Fella Tue, 07/08/2008 - 12:52

No... check the client side, they might have to check one of the the Trusted Root Certification Authorities.

patrickdonlon Tue, 07/15/2008 - 06:49

Just thought I'd follow up on this one, it turned out the Rapid SSL wasn't trusted on the clients, probably as it was a month trial. The Verisign unchained cert fixed the last of the problems,




This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode