Have a wireless test network setup with Cisco 1131AG LAPs, c6500 WiSM module (4404-WLC) authenticating to a Cisco ACS appliance (1113) using PEAP and MSCHAPv2 authentication.
The laptops have the Cisco SSC client installed (together with the SSC Mgmt utility).
A self-signed certificate was created on the ACS and root certiciate exported and installed on the Laptop's TCL.
IF the CSSC "Server validation" box is not selected, the authentication process works and I'm able to connect to the network.
IF the CSSC "Server Validation" box is selected, the authentication fails....
Troubleshooting the issue, it appears that the client is rejecting the Server certificate:
"Server certificate chain is invalid"
On the ACS, in the "failed" authentication logs, the following is message is stated:
"Authentication failed during SSL handshake" (which obvioously relates to the invalid chain bit)
When creating the self-signed certificate, is there a specific directory when the server certificate should be located? like c:\cert\certificate.cer
Also, does the certificate name must match the ACS hostname?
Any hints or pointers would be appreciated.
The issues is that when you check the Server validation Box, you must make sure you have the CA in the Trusted Root Certification Authority. For example, in windows.... there is a list of CA servers in which you need to check the Validate Server Certificate and also check one of the Root CA's on the list. If the Root CA is not listed, then you need to add that to the list and check it.
You are correct about the client rejecting the sever cert.... Authentication failed during SSL handshake
This doc will give you some insight: