PEAP works with Windows zero but not with CSSC

Unanswered Question
Sep 22nd, 2010
User Badges:

I got PEAP to work using the windows zero config but I cannot get PEAP to work when usin CSSC on the same laptop.


When using CSSC I get asked for the password and authentication fails.  ACS is reporting PEAP authentication failed due to unknown CA certificate during SSL handshake.


Any suggestions?


Seth

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
George Stefanick Wed, 09/22/2010 - 07:50
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Let me ask. Its sounds like you are vaildating the cert on the CSSC.


Are you NOT vaildating the certificate on ZeroCFG and perhaps you have VAILDATE certificate on CSSC?


What this means is ... The Radius server presents the certificate to the wireless client. This is used to build a TLS tunnel whereby the client will pass its logon and password. if your client vaildates this cert and the cert isnt in the client store you will get an error msg like that  have there..


if your client DOESNT vaildate the cert, it simply accepts whatever cert it is presented, builds the tunnel and passes the goods...

srosenthal Wed, 09/22/2010 - 08:07
User Badges:

I am trying to use CSSC and PEAP with server validation.


When I use windows zero config and I am checking the box to validate server certificate and then checking the box next to the certificate that I have succesfully installed on my laptop.


I am using the CSSC management utility to configure the WLAN.


If I uncheck validate server identity then try to connect via the CSSC client it works.  But if I check the box to validate server identity then it fails.  I also have CSSC set Trust any root CA installed on the OS.  Which I assume means my pc.


I understand how PEAP works, I am just trying to get it to work with CSSC and validate the server identity via the cert.


Seth

George Stefanick Wed, 09/22/2010 - 08:19
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Look at this ....





Server Validation

The Personal stores are not used for server validation.

When the configuration specifies validateChainWithAnyCaFromOs, the certificate must be installed in the Local Computer\Trusted Root store.

Any Root CA certificate included in the configuration is ignored and the configuration is translated to validateChainWithAnyCaFromOs. The Root CA certification must be installed by some other means.

The certificate store is limited to Local Computer during machine authentication and user authentications when the connection is attempted before Windows logon.


http://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/5.1.1/administration/guide/C2_SetupSSC.html


srosenthal Thu, 09/23/2010 - 06:12
User Badges:

George,


Thank you for the help and the link to the document.


However, I am still not having success.


I have the certificate stored in Local Computer\Trusted Root store.


I also tested the config using the my Cisco a/b/g card with the Cisco client utility and PEAP works, just not with CSSC.


Seth

Actions

This Discussion

 

 

Trending Topics - Security & Network