ACS authentication with PEAP / MSCHAPv2 - client rejecting server

Answered Question
Aug 5th, 2008

Hi,

Have a wireless test network setup with Cisco 1131AG LAPs, c6500 WiSM module (4404-WLC) authenticating to a Cisco ACS appliance (1113) using PEAP and MSCHAPv2 authentication.

The laptops have the Cisco SSC client installed (together with the SSC Mgmt utility).

A self-signed certificate was created on the ACS and root certiciate exported and installed on the Laptop's TCL.

IF the CSSC "Server validation" box is not selected, the authentication process works and I'm able to connect to the network.

IF the CSSC "Server Validation" box is selected, the authentication fails....

Troubleshooting the issue, it appears that the client is rejecting the Server certificate:

"Server certificate chain is invalid"

On the ACS, in the "failed" authentication logs, the following is message is stated:

"Authentication failed during SSL handshake" (which obvioously relates to the invalid chain bit)

Any ideas?

When creating the self-signed certificate, is there a specific directory when the server certificate should be located? like c:\cert\certificate.cer

Also, does the certificate name must match the ACS hostname?

i.e."CN=<hostname>"

Any hints or pointers would be appreciated.

Thanks

Correct Answer by Scott Fella about 8 years 6 months ago

The issues is that when you check the Server validation Box, you must make sure you have the CA in the Trusted Root Certification Authority. For example, in windows.... there is a list of CA servers in which you need to check the Validate Server Certificate and also check one of the Root CA's on the list. If the Root CA is not listed, then you need to add that to the list and check it.

You are correct about the client rejecting the sever cert.... Authentication failed during SSL handshake

This doc will give you some insight:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Scott Fella Tue, 08/05/2008 - 17:28

The issues is that when you check the Server validation Box, you must make sure you have the CA in the Trusted Root Certification Authority. For example, in windows.... there is a list of CA servers in which you need to check the Validate Server Certificate and also check one of the Root CA's on the list. If the Root CA is not listed, then you need to add that to the list and check it.

You are correct about the client rejecting the sever cert.... Authentication failed during SSL handshake

This doc will give you some insight:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

drewgeeing Tue, 08/05/2008 - 18:25

Mate,

The document gave me a couple of pointers to resolve the issue:

1) It stated that when using the ACS self-signed certificate, the key size can not be greater than 1024 (ACS has an option for 2048 key size) when using PEAP [had configured 2048]

2) Had the client's Root Certificate in the wrong directory - should have been under "local computer", not a specific user.

Full marks - thank you very much!

Cheers

Scott Fella Tue, 08/05/2008 - 18:29

You should keep the size to 1024. I have tried using a key size other than 1024 and had issues, so follow the 1024 rule.

If you install the cert in the local computer under "Trusted Root Certification Authorities | Certificates" then this will add the ACS CA to the list.

Hope this helps.

Actions

This Discussion

 

 

Trending Topics - Security & Network