09-22-2010 06:32 AM - edited 07-03-2021 07:12 PM
I got PEAP to work using the windows zero config but I cannot get PEAP to work when usin CSSC on the same laptop.
When using CSSC I get asked for the password and authentication fails. ACS is reporting PEAP authentication failed due to unknown CA certificate during SSL handshake.
Any suggestions?
Seth
09-22-2010 07:50 AM
Let me ask. Its sounds like you are vaildating the cert on the CSSC.
Are you NOT vaildating the certificate on ZeroCFG and perhaps you have VAILDATE certificate on CSSC?
What this means is ... The Radius server presents the certificate to the wireless client. This is used to build a TLS tunnel whereby the client will pass its logon and password. if your client vaildates this cert and the cert isnt in the client store you will get an error msg like that have there..
if your client DOESNT vaildate the cert, it simply accepts whatever cert it is presented, builds the tunnel and passes the goods...
09-22-2010 08:07 AM
I am trying to use CSSC and PEAP with server validation.
When I use windows zero config and I am checking the box to validate server certificate and then checking the box next to the certificate that I have succesfully installed on my laptop.
I am using the CSSC management utility to configure the WLAN.
If I uncheck validate server identity then try to connect via the CSSC client it works. But if I check the box to validate server identity then it fails. I also have CSSC set Trust any root CA installed on the OS. Which I assume means my pc.
I understand how PEAP works, I am just trying to get it to work with CSSC and validate the server identity via the cert.
Seth
09-22-2010 08:19 AM
Look at this ....
Server Validation
–The Personal stores are not used for server validation.
–When the configuration specifies validateChainWithAnyCaFromOs, the certificate must be installed in the Local Computer\Trusted Root store.
–Any Root CA certificate included in the configuration is ignored and the configuration is translated to validateChainWithAnyCaFromOs. The Root CA certification must be installed by some other means.
–The certificate store is limited to Local Computer during machine authentication and user authentications when the connection is attempted before Windows logon.
09-23-2010 06:12 AM
George,
Thank you for the help and the link to the document.
However, I am still not having success.
I have the certificate stored in Local Computer\Trusted Root store.
I also tested the config using the my Cisco a/b/g card with the Cisco client utility and PEAP works, just not with CSSC.
Seth
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide