Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
2
Replies

Wired 802.1x EAP-TLS Server Certificate Problem

paul.l.kyte
Level 1
Level 1

‎08-27-2008 05:40 AM - edited ‎03-10-2019 04:03 PM

I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).

If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:

11:48:53.088 Validating the server.

11:48:53.088 Server list is empty, trusted server can not be validated.

11:48:53.088 Server list is empty, trusted server can not be validated.

11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.

11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)

11:48:54.776 The authentication process has failed.

If I look at the Auth log on ACS (set to full logging) it states:

AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000

AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)

If I configure the client to not check the servers certificate it all works ok.

Can anyone tell me why my server certificate is getting rejected?

Thanks,

Paul

Labels:
0 Helpful
2 Replies 2

hadbou
Level 5
Level 5

‎09-02-2008 05:46 AM

If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.

0 Helpful

paul.l.kyte
Level 1
Level 1
In response to hadbou

‎09-02-2008 08:39 AM

Can you tell me where I find this user name as I don't know what it is.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents