EAP-TLS & ACE Appliance "EAP-TLS or PEAP authentication failed"

mikeb · ‎12-20-2005

Hello - I have a version 3.2 of the ACS appliance and I am trying to set up a successful test of EAP-TLS. I have a W2K server for a CA and I believe I have the certificate install properly. However, I get the "EAP-TLS or PEAP authentication failed during SSL handshake" error message in my failed attempts log. The troubleshooting document tells me to look at the CSAuth.log file but I can't seem to find in on the ACS Appliance.

Does anyone have any ideas how to troubleshoot this problem with the appliance?

thomas.chen · ‎12-26-2005

If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.

AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:

SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)If the ACS rejects the client's certificate because the certificate has expired, the expected error message in the CSAuth.log file is similar to the following.

AUTH 06/04/2005 15:02:08 E 0345 1692 EAP: ProcessResponse:

SSL handshake failed, status = 3 (SSL alert fatal:certificate expired)

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml