Wired 802.1x EAP-TLS Server Certificate Problem

Unanswered Question
Aug 27th, 2008

I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).

If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:

11:48:53.088 Validating the server.

11:48:53.088 Server list is empty, trusted server can not be validated.

11:48:53.088 Server list is empty, trusted server can not be validated.

11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.


11:48:54.776 The authentication process has failed.

If I look at the Auth log on ACS (set to full logging) it states:

AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for '[email protected]' against Windows NT/2000

AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)

If I configure the client to not check the servers certificate it all works ok.

Can anyone tell me why my server certificate is getting rejected?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hadbou Tue, 09/02/2008 - 05:46

If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.

paul.l.kyte Tue, 09/02/2008 - 08:39

Can you tell me where I find this user name as I don't know what it is.



This Discussion