02-26-2010 01:14 PM - edited 03-10-2019 04:58 PM
Hi
I have a Cisco WLC talking to a ACS 4400 version 5.1 which in turn talks to Active Directory.
Ive been trying to get 802.1x for wireless clients going, I have a cert on the ACS from verisign on the box but when users try to sign in they get 12309 PEAP handshake failed in the ACS RADIUS log.
The cert was exported and placed directly on the testing laptop and at one point it all worked. I stepped away from it for 2 weeks to get a new internal CA built on a windows box, now coming back to it with the intent of issuing new certs to the ACS from the internal CA and thought I would check it to make sure all was good, but its not.
Google doesn’t return happy results for “12309 PEAP handshake failed”, I opened a TAC case on it and they took my cert to their lab. Haven’t heard back. I was wondering if the netpro community had any ideas.
e-
Solved! Go to Solution.
02-26-2010 01:42 PM
Eric,
Clients need to verify that they trust the certificate installed on ACS. Make sure you install
the CA certificate from your internal CA onto your laptop. A good way to tell if this is the issue
is to uncheck the "verify server certificate" checkbox on your client and see if it still fails.
--Jesse
02-26-2010 01:56 PM
Are you authenticating a user or a machine when this error is seen?
--Jesse
02-26-2010 02:04 PM
Eric,
Try to authenticate to an internal ACS user and see if you have the same problem.
If that works then you at least have it narrowed down to ACS/AD communication and
can concentrate on that in the TAC case. Unfortunatly I have not seen the exact error
you are running into.
--Jesse
02-26-2010 01:42 PM
Eric,
Clients need to verify that they trust the certificate installed on ACS. Make sure you install
the CA certificate from your internal CA onto your laptop. A good way to tell if this is the issue
is to uncheck the "verify server certificate" checkbox on your client and see if it still fails.
--Jesse
02-26-2010 01:46 PM
Yeah thats what I thought, and thats what TAC said too.
We removed "verify" on the suplication, and tested for the cert from the internal CA and one from Verisign. Both reside on the laptop. In both cases a 12309 PEAP handshake failed error shows up in the radius log.
I'm lost as to the cause.
e-
02-26-2010 01:56 PM
Are you authenticating a user or a machine when this error is seen?
--Jesse
02-26-2010 01:58 PM
It should be user.
The WLC defers to ACS for a user based on AD securty group membership, and the suplicant(when the option is cleared) asks for a user name and password.
02-26-2010 02:04 PM
Eric,
Try to authenticate to an internal ACS user and see if you have the same problem.
If that works then you at least have it narrowed down to ACS/AD communication and
can concentrate on that in the TAC case. Unfortunatly I have not seen the exact error
you are running into.
--Jesse
04-04-2012 07:06 AM
Any progress on this one? I am getting a similar error, but between my controllers and Cisco ISE (still using Raidus).
11-24-2014 05:16 AM
Hello!
we have similar problem.
WLC uses ACS as a RADIUS server to authenticate AD users with PEAP/MSCHAPv2.
ACS certificate is issued by GeoTrust certificate.
After GeoTrust reissued CRL, wifi users stopped being authenticated with an error "12309 PEAP handshake failed" on the ACS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide