WLC to ACS v5 to AD - PEAP Handshake Failed

Answered Question
Feb 26th, 2010

Hi

I have a Cisco WLC talking to a ACS 4400 version 5.1 which in turn talks to Active Directory.

Ive been trying to get 802.1x for wireless clients going, I have a cert on the ACS from verisign on the box but when users try to sign in they get 12309 PEAP handshake failed in the ACS RADIUS log.

The cert was exported and placed directly on the testing laptop and at one point it all worked.  I stepped away from it for 2 weeks to get a new internal CA built on a windows box, now coming back to it with the intent of issuing new certs to the ACS from the internal CA and thought I would check it to make sure all was good, but its not.

Google doesn’t return happy results for “12309 PEAP handshake failed”, I opened a TAC case on it and they took my cert to their lab.  Haven’t heard back.  I was wondering if the netpro community had any ideas.

e-

I have this problem too.
0 votes
Correct Answer by jedubois about 6 years 9 months ago

Eric,

     Try to authenticate to an internal ACS user and see if you have the same problem.

     If that works then you at least have it narrowed down to ACS/AD communication and

     can concentrate on that in the TAC case.  Unfortunatly I have not seen the exact error

     you are running into.

--Jesse

Correct Answer by jedubois about 6 years 9 months ago

Are you authenticating a user or a machine when this error is seen?

--Jesse

Correct Answer by jedubois about 6 years 9 months ago

Eric,

     Clients need to verify that they trust the certificate installed on ACS.  Make sure you install

     the CA certificate from your internal CA onto your laptop.  A good way to tell if this is the issue

     is to uncheck the "verify server certificate" checkbox on your client and see if it still fails.

--Jesse

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Correct Answer
jedubois Fri, 02/26/2010 - 13:42

Eric,

     Clients need to verify that they trust the certificate installed on ACS.  Make sure you install

     the CA certificate from your internal CA onto your laptop.  A good way to tell if this is the issue

     is to uncheck the "verify server certificate" checkbox on your client and see if it still fails.

--Jesse

Anonymous (not verified) Fri, 02/26/2010 - 13:46

Yeah thats what I thought, and thats what TAC said too.

We removed "verify" on the suplication, and tested for the cert from the internal CA and one from Verisign.  Both reside on the laptop.  In both cases a 12309 PEAP handshake failed error shows up in the radius log.

I'm lost as to the cause.

e-

Correct Answer
jedubois Fri, 02/26/2010 - 13:56

Are you authenticating a user or a machine when this error is seen?

--Jesse

Anonymous (not verified) Fri, 02/26/2010 - 13:58

It should be user.

The WLC defers to ACS for a user based on AD securty group membership, and the suplicant(when the option is cleared) asks for a user name and password.

Correct Answer
jedubois Fri, 02/26/2010 - 14:04

Eric,

     Try to authenticate to an internal ACS user and see if you have the same problem.

     If that works then you at least have it narrowed down to ACS/AD communication and

     can concentrate on that in the TAC case.  Unfortunatly I have not seen the exact error

     you are running into.

--Jesse

don.click1 Wed, 04/04/2012 - 07:06

Any progress on this one?  I am getting a similar error, but between my controllers and Cisco ISE (still using Raidus).

Jaaazman777 Mon, 11/24/2014 - 05:16

Hello!

we have similar problem.

WLC uses ACS as a RADIUS server to authenticate AD users with PEAP/MSCHAPv2.

ACS certificate is issued by GeoTrust certificate.

After GeoTrust reissued CRL, wifi users stopped being authenticated with an error "12309 PEAP handshake failed" on the ACS.

 

Actions

This Discussion