PEAP authentication fails

vivekanand.vishwakarma · ‎10-30-2009

Hi,

PEAP authentication fails with the error "EAP-TLS or PEAP authentication failed during SSL handshake".

In our wireless setup we have configured a SSID for WPA/WPA2 authentication with dot1x.

We are using ACS4.2 with Active directory for user and certificate authentication.

I have done the following configuration:

In ACS4.2 (on Windows2000 server):

1. Copied the following files to the \Certs directory:

â€¢server.cer (server certificate)

â€¢server.pvk (server certificate private key)

â€¢ca.cer (CA certificate)

2. I have imported ca.cer by double clicking in " In local Computer under Trusted Root Certification Authority".

3. Also I have installed Server.cer under System Configuration->ACS Certificate Setup ->Install ACS Certificate.

By using option "Read certificate from file"

4. I have installed ca.cer under System Configuration > ACS Certificate Setup > ACS Certification Authority Setup

5.I have selected "ca" in System Configuration > ACS Certificate Setup > Edit Certificate Trust List

6. On Windows XP SP2 I have installed server.cer In local Computer under Trusted Root Certification Authority".

Note: server.cer -> Is supporting both server authentication and Client authentication

But I am not able able to connect to wireless and I can see "PEAP authentication fails with the error "EAP-TLS or PEAP authentication failed during SSL handshake" error in ACS log.

Please help.

Jatin Katyal · ‎10-30-2009

Hi Vivekanand,

Looks like we are using PEAP with MSchapv2.

Could you please provide me the package.cab file from the ACS? In order to create this

* Set the logging level under System Config => Service Control => logging level = FULL.

* Now try again and reproduce the error message in the failed attempt.

* Log onto the ACS server itself as the local administrator.

* Browse to the BIN directory in the ACS program directory.

* Run the program there called CSSupport and Click NEXT.

* Only do these steps if we need more than today's logs:

-- Put a check in both "Previous Logs" checkbox.

-- Select the number of days to go back.

- Click Next two times.

- When the Finish button appears, click it.

Now attach this file in your next post.

# Also, please verify the setting as per the doc once again.

PEAP via ACS is here

********************

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml

HTH

JK

-Plz rate helpful posts-

~Jatin

vivekanand.vishwakarma · ‎11-03-2009

Thanks for your support

Filip Po · ‎11-03-2009

You need to obtain a client side certificate (machine and/or user.

1. machine cert you could obtain automatically if your machine first time log on to AD domain. There must be Auto Enrollment for Computer turned on in rules for domain.

2. user cert you could obtain through CA web server interface or through MMC console in Local User Personal Certificates.

It's look you have not successfully configure Windows XP supplicant side.

vivekanand.vishwakarma · ‎11-03-2009

Filip,

Thanks for your support.

Filip Po · ‎11-04-2009

Was it somewhat helpful?

vivekanand.vishwakarma · ‎11-04-2009

Hi Filip,

As in our setup we do not have CA server.

We have purchased the digital certificate from third party CA.

So we have decided to implement PEAP without validating server certificate on client machine.

We have installed certificate on ACS server and have selected PEAP in global authentication.On client configured PEAP, and have not selected validate server certificate option,authentication works fine.

vivekanand.vishwakarma · ‎11-04-2009

Problem is resolved now,no need to post further replies.

Thanks for the support