Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
576
Views
3
Helpful
4
Replies

PEAP works with Windows zero but not with CSSC

srosenthal
Level 4
Level 4

‎09-22-2010 06:32 AM - edited ‎07-03-2021 07:12 PM

I got PEAP to work using the windows zero config but I cannot get PEAP to work when usin CSSC on the same laptop.

When using CSSC I get asked for the password and authentication fails.  ACS is reporting PEAP authentication failed due to unknown CA certificate during SSL handshake.

Any suggestions?

Seth

Labels:
0 Helpful
4 Replies 4

George Stefanick
VIP Alumni
VIP Alumni

‎09-22-2010 07:50 AM

Let me ask. Its sounds like you are vaildating the cert on the CSSC.

Are you NOT vaildating the certificate on ZeroCFG and perhaps you have VAILDATE certificate on CSSC?

What this means is ... The Radius server presents the certificate to the wireless client. This is used to build a TLS tunnel whereby the client will pass its logon and password. if your client vaildates this cert and the cert isnt in the client store you will get an error msg like that  have there..

if your client DOESNT vaildate the cert, it simply accepts whatever cert it is presented, builds the tunnel and passes the goods...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

srosenthal
Level 4
Level 4
In response to George Stefanick

‎09-22-2010 08:07 AM

I am trying to use CSSC and PEAP with server validation.

When I use windows zero config and I am checking the box to validate server certificate and then checking the box next to the certificate that I have succesfully installed on my laptop.

I am using the CSSC management utility to configure the WLAN.

If I uncheck validate server identity then try to connect via the CSSC client it works.  But if I check the box to validate server identity then it fails.  I also have CSSC set Trust any root CA installed on the OS.  Which I assume means my pc.

I understand how PEAP works, I am just trying to get it to work with CSSC and validate the server identity via the cert.

Seth

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to srosenthal

‎09-22-2010 08:19 AM

Look at this ....

Server Validation

The Personal stores are not used for server validation.

When the configuration specifies validateChainWithAnyCaFromOs, the certificate must be installed in the Local Computer\Trusted Root store.

Any Root CA certificate included in the configuration is ignored and the configuration is translated to validateChainWithAnyCaFromOs. The Root CA certification must be installed by some other means.

The certificate store is limited to Local Computer during machine authentication and user authentications when the connection is attempted before Windows logon.

http://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/5.1.1/administration/guide/C2_SetupSSC.html

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

srosenthal
Level 4
Level 4
In response to George Stefanick

‎09-23-2010 06:12 AM

George,

Thank you for the help and the link to the document.

However, I am still not having success.

I have the certificate stored in Local Computer\Trusted Root store.

I also tested the config using the my Cisco a/b/g card with the Cisco client utility and PEAP works, just not with CSSC.

Seth

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card