EAP-TLS or PEAP authentication failed during SSL handshake

Unanswered Question
Jun 24th, 2010

Hi Pros,

               I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.

When I check my log in the failed attemps, there is what I found:

Date TimeMessage-TypeUser-NameGroup-NameCaller-IDNetwork Access Profile NameAuthen-Failure-CodeAuthor-Failure-CodeAuthor-DataNAS-PortNAS-IP-AddressFilter InformationPEAP/EAP-FAST-Clear-NameEAP TypeEAP Type NameReasonAccess DeviceNetwork Device Group
06/23/201017:39:51Authen failed000e.9b6e.e834Default Group000e.9b6e.e834(Default)EAP-TLS or PEAP authentication failed during SSL handshake....110110.111.22.24....25MS-PEAP..wbr-1121-zozo-testOffice Networ

06/23/201017:39:50Authen failed[email protected]Default Group000e.9b6e.e834(Default)EAP-TLS or PEAP authentication failed during SSL handshake....109810.111.22.24....25MS-PEAP..wbr-1121-zozo-testOffice Network

[email protected] = my windows active directory name

1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....

2. Why sometimes it just shows the MAC of the client for username?

3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?

2. Secondly, When I check in pass authentications... there is what i saw

Date TimeMessage-TypeUser-NameGroup-NameCaller-IDNAS-PortNAS-IP-AddressNetwork Access Profile NameShared RACDownloadable ACLSystem-Posture-TokenApplication-Posture-TokenReasonEAP TypeEAP Type NamePEAP/EAP-FAST-Clear-NameAccess DeviceNetwork Device Group
06/23/201017:30:49Authen OKgroszozoNOC Tier Network
06/23/201017:29:27Authen OKgroszozoNOC Tier Network

In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.

Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.

Thanks in advance for your help,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jean Paul Enerst Tue, 06/29/2010 - 09:48

Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my  attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.

My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.

Let's brain storm together to figure out this guys.

Thanks in advance,


khadlos27 Sun, 11/14/2010 - 21:35

Hi Paul,

We have had the same issue as what you had faced. Our problem was that the ACS Certificate was expired.

You might want to confirm this on your ACS sever - System Configuration --> ACS Certificate Setup --> Install ACS Certificate.

This should show whether or not your ACS certs are expired/ok or not installed.

Hope this helps



brandonreddish Tue, 08/12/2014 - 07:49

Necro'ing an old thread.

Had this issue today, took down corp wireless.  Sure enough, cert was expired.


This Discussion