06-24-2010 08:17 AM - edited 03-10-2019 05:13 PM
Hi Pros,
I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
When I check my log in the failed attemps, there is what I found:
Date | Time | Message-Type | User-Name | Group-Name | Caller-ID | Network Access Profile Name | Authen-Failure-Code | Author-Failure-Code | Author-Data | NAS-Port | NAS-IP-Address | Filter Information | PEAP/EAP-FAST-Clear-Name | EAP Type | EAP Type Name | Reason | Access Device | Network Device Group |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
06/23/2010 | 17:39:51 | Authen failed | 000e.9b6e.e834 | Default Group | 000e.9b6e.e834 | (Default) | EAP-TLS or PEAP authentication failed during SSL handshake | .. | .. | 1101 | 10.111.22.24 | .. | .. | 25 | MS-PEAP | .. | wbr-1121-zozo-test | Office Networ |
06/23/2010 | 17:39:50 | Authen failed | groszozo@xxx.com | Default Group | 000e.9b6e.e834 | (Default) | EAP-TLS or PEAP authentication failed during SSL handshake | .. | .. | 1098 | 10.111.22.24 | .. | .. | 25 | MS-PEAP | .. | wbr-1121-zozo-test | Office Network |
1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
2. Why sometimes it just shows the MAC of the client for username?
3. Why it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
2. Secondly, When I check in pass authentications... there is what i saw
Date | Time | Message-Type | User-Name | Group-Name | Caller-ID | NAS-Port | NAS-IP-Address | Network Access Profile Name | Shared RAC | Downloadable ACL | System-Posture-Token | Application-Posture-Token | Reason | EAP Type | EAP Type Name | PEAP/EAP-FAST-Clear-Name | Access Device | Network Device Group |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
06/23/2010 | 17:30:49 | Authen OK | groszozo | NOC Tier 2 | 10.11.10.105 | 1 | 10.111.22.24 | (Default) | .. | .. | .. | .. | .. | .. | .. | .. | wbr-1121-zozo-test | Office Network |
06/23/2010 | 17:29:27 | Authen OK | groszozo | NOC Tier 2 | 10.11.10.105 | 1 | 10.111.22.24 | (Default) | .. | .. | .. | .. | .. | .. | .. | .. | wbr-1121-zozo-test | Office Network |
In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did check ENABLE EAP-TLS machine authentication.
Thanks in advance for your help,
Crazy---
06-29-2010 09:48 AM
Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
Let's brain storm together to figure out this guys.
Thanks in advance,
----Paul
11-14-2010 09:35 PM
Hi Paul,
We have had the same issue as what you had faced. Our problem was that the ACS Certificate was expired.
You might want to confirm this on your ACS sever - System Configuration --> ACS Certificate Setup --> Install ACS Certificate.
This should show whether or not your ACS certs are expired/ok or not installed.
Hope this helps
Cheers
Karl
08-12-2014 07:49 AM
Necro'ing an old thread.
Had this issue today, took down corp wireless. Sure enough, cert was expired.
08-12-2014 02:33 PM
Always setup a reminder for those :)
12-09-2014 06:20 AM
Had the same issue. Certificate expired.
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide