10-30-2009 03:37 AM - last edited on 03-25-2019 05:26 PM by ciscomoderator
Hi,
PEAP authentication fails with the error "EAP-TLS or PEAP authentication failed during SSL handshake".
In our wireless setup we have configured a SSID for WPA/WPA2 authentication with dot1x.
We are using ACS4.2 with Active directory for user and certificate authentication.
I have done the following configuration:
In ACS4.2 (on Windows2000 server):
1. Copied the following files to the \Certs directory:
â¢server.cer (server certificate)
â¢server.pvk (server certificate private key)
â¢ca.cer (CA certificate)
2. I have imported ca.cer by double clicking in " In local Computer under Trusted Root Certification Authority".
3. Also I have installed Server.cer under System Configuration->ACS Certificate Setup ->Install ACS Certificate.
By using option "Read certificate from file"
4. I have installed ca.cer under System Configuration > ACS Certificate Setup > ACS Certification Authority Setup
5.I have selected "ca" in System Configuration > ACS Certificate Setup > Edit Certificate Trust List
6. On Windows XP SP2 I have installed server.cer In local Computer under Trusted Root Certification Authority".
Note: server.cer -> Is supporting both server authentication and Client authentication
But I am not able able to connect to wireless and I can see "PEAP authentication fails with the error "EAP-TLS or PEAP authentication failed during SSL handshake" error in ACS log.
Please help.
10-30-2009 05:56 AM
Hi Vivekanand,
Looks like we are using PEAP with MSchapv2.
Could you please provide me the package.cab file from the ACS? In order to create this
* Set the logging level under System Config => Service Control => logging level = FULL.
* Now try again and reproduce the error message in the failed attempt.
* Log onto the ACS server itself as the local administrator.
* Browse to the BIN directory in the ACS program directory.
* Run the program there called CSSupport and Click NEXT.
* Only do these steps if we need more than today's logs:
-- Put a check in both "Previous Logs" checkbox.
-- Select the number of days to go back.
- Click Next two times.
- When the Finish button appears, click it.
Now attach this file in your next post.
# Also, please verify the setting as per the doc once again.
PEAP via ACS is here
********************
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml
HTH
JK
-Plz rate helpful posts-
11-03-2009 08:50 PM
Thanks for your support
11-03-2009 03:49 PM
You need to obtain a client side certificate (machine and/or user.
1. machine cert you could obtain automatically if your machine first time log on to AD domain. There must be Auto Enrollment for Computer turned on in rules for domain.
2. user cert you could obtain through CA web server interface or through MMC console in Local User Personal Certificates.
It's look you have not successfully configure Windows XP supplicant side.
11-03-2009 09:02 PM
Filip,
Thanks for your support.
11-04-2009 12:00 AM
Was it somewhat helpful?
11-04-2009 12:50 AM
Hi Filip,
As in our setup we do not have CA server.
We have purchased the digital certificate from third party CA.
So we have decided to implement PEAP without validating server certificate on client machine.
We have installed certificate on ACS server and have selected PEAP in global authentication.On client configured PEAP, and have not selected validate server certificate option,authentication works fine.
11-04-2009 02:05 AM
Problem is resolved now,no need to post further replies.
Thanks for the support
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: