PEAP Machine Authentication fails

Unanswered Question
Jul 21st, 2009
User Badges:

Hi All

I am using PEAP with the following setup

WLC 4404

ACS Solutions Engine 4.01 (self signed cert)

Windows AD database.

PEAP user authentication works fine.

The issue is, I need to only allow machines which are in AD as such I have configued Machine authentication.

However this is failing with the below log.

host/ Authen failed EAP-TLS or PEAP authentication failed during SSL handshake

I have configured the ACS for PEAP machine auth in all required places and on the client. I have read lots of info saying I need to configure AD to allow Machine Authentications, and cert auto enrollment etc.., is this the case and if so whats the easiest way to do it?

Thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
colin.lynch Tue, 07/21/2009 - 12:57
User Badges:

May have made some progress, as far as I can tell as long as the ACS cert is copied to the client and put in the Local Computer store. That I believe should be enough.

I think when I installed the ACS cert on the client I went with the default which is NOT the Local Computer store.

(This is not the same as installing an idependant cert on the client, but rather just the Local machine, trusting the ACS)

Thats my thoughts anyway, I'll give it a try tomorrow.

colin.lynch Wed, 07/22/2009 - 01:21
User Badges:


Logged into the laptop as a local admin and imported the ACS self signed cert in to: Physical Store: Trusted Root Cert Auths>Local Computer.

This had the effect that my Machine Auth now no longer fails with the SSL error but now fails with "External DB user invalid or bad password"

Unknown user policy is working as Domain user authentication is still working fine.

Anyone got any ideas?

Roman Rodichev Wed, 07/22/2009 - 05:49
User Badges:
  • Gold, 750 points or more

What username do you see in that "External DB User invalid" error in Failed Attempts log? Maybe it's "CN="?

colin.lynch Tue, 07/28/2009 - 03:31
User Badges:

username in failure log is host/FQDM

ie host/laptop.x.x

pandapritam Tue, 08/04/2009 - 02:35
User Badges:

Hi colin,

will u able to solve the problem if yes then can you share the solution among us

colin.lynch Tue, 08/04/2009 - 02:43
User Badges:

Hi Yes

Did solve the problem, in my case I just loaded the Agent on another server and all Machine Auth is now working perfectly and all login scripts etc run ok. So it must have been an issue between the Agent and the server which happened to be a DC. Another company had tried getting this working before and failed so I suspect they messed around with the Agent privilages on the DC.

I have drawn up a diagram showing all PEAP components end to end and what needs to be configured and how. If you want a copy let me know ur E-mail address.




This Discussion



Trending Topics - Security & Network