EAP-TLS failed Reason: Bad Certificate

Unanswered Question
Oct 28th, 2008
User Badges:


I have:

PCSTATION------>AP1250-------->WLC-1---->ACS4.1(radius)------->MS CA

PCSTATION (00:11:00:22:00:33)

AP1250 (00:44:00:55:00:66)


Im trying to install EAP-TLS Authenticatin in my lab. I have followed procedure from cisco documentation:

EAP-TLS under Unified Wireless Network with ACS 4.0 and Windows 2003

But I cant connect my Client PCStation on SSID JELEN. On my ACS4.1>Reports and Activity>Failed attempts I have:

Authen-Failure-Code: EAP-TLS or PEAP authentication failed during SSL handshake

I send to you output from Wireshark. You can see reason for failed is:

TLSv1 Alert (Level: Fatal, Description: Bad Certificate)

What is the problem, I think that I have valid certificate on ACS4.1 and Client station PCSTATION?

Pleas help


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
drolemc Mon, 11/03/2008 - 14:31
User Badges:
  • Silver, 250 points or more

As we can see that we are able to get clients authenticated when we deselect 'Validate Server Certificate'. And we get 'EAP-TLS or PEAP authentication failed during SSL handshake' error.

Its possible that certificate on client is not properly able to authenticate ACS server certificate.

Please check following :

Install the Root CA Certificate for the Client :

Complete these steps.

[1] From the client PC, browse to the CA -http://IP_of_CA_server/certsrv/.

[2] Select Retrieve a CA certificate and click Next.

[3] Select Base64 Encoding and Download CA certificate.

[4] Click Open and select Install Certificate.

[5] Click Next.

[6] Select Place all certificates in the following store and then click Browse.

[7] Check the Show physical stores box.

[8] Expand Trusted root certification authorities, select local computer, and click OK.

[9] Click Next, click Finish, and click OK for "The import was successful" box.

Also check the root CA that we have installed on client under validate server certificate

For Further information about ACS Certificate Setup click this link.


nenad_2007 Thu, 11/06/2008 - 05:08
User Badges:


I already followed this procedure. All certificate are properly generated and installed. Problem was bad configuration on my wirelles Card on client device.


wireless network Connection properties>Authentication>Smart Card or other Certificate>Properties I checked Validate server certificate. And I also checked Connect to these servers:

But in field: Connect to these servers, i have written name of my MS CA server instead name of my ACS 4.1 server.

When in this field writte address of MS CA server everything works perfect.

Of course I have also checked name of my MS CA in Trusted Root Certification Authorities list.

Thank you for your response, 5.0 from me.



This Discussion



Trending Topics - Security & Network