Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.

Hi,


I replaced an ACS certificate that had been installed as follows:


1. Generate CSR file and private key file, then send CSR to GeoTrust (Key length: 2048 and Digest to sign with SHA1)

2. GeoTrust send me a certificate. Issued by "GeoTrust SSL CA".

3. Install the certificate on the ACS. Restart ACS service.

4. ACS Certification authority setup. Issued by "VeriSign Class 2 Public Primary Certification Authority - G3"

5. Edit certificate trust list and select "VeriSign Class 2 Public Primary Certification Authority - G3" as trusted.

6. Enable EAP-TLS, then restarted the ACS service.


The problem is when i try to enable EAP i get the error msg:

Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.


I searched on cisco and it said to disable the CSA, but in fact there is no CSA installed on this server.

OS: Win 2003 sp2
Cisco ACS: Release 4.2(0) Build 124


Any help appreciated.


Thanks

4 REPLIES
New Member

Re: Failed to initialize PEAP or EAP-TLS authentication protocol

In order to resolve the error, install the CA certificate using ACS       Certification Authority Setup. This error occurs due to incorrect CA       certificate if the self-signed certificate is not used.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

http://thedailyreviewer.com/hardware/view/ciso-acs-appliance-and-windows-certificate-peap-error-112344781

New Member

Re: Failed to initialize PEAP or EAP-TLS authentication protocol

Thanks for your reply.

I am sure the CA certificate is right. Coz I just renewed the server certificate, and there is a little change from the previous one. The Issuer is changed to "GeoTrust SSL CA" from "Equifax Secure Certificate Authority", and the key length is changed to 2048 bits from 1024 bits.

I doubt that the ACS4.2 supports 2048 bits key. Any one advice? Thanks.

New Member

Re: Failed to initialize PEAP or EAP-TLS authentication protocol

We are going through the same problem.  The first step appears to be installing the proper CA cert.  After several phone calls with Geo

Trust, we got the following link - http://www.geotrust.com/resources/root-certificates/

.  Based on the cert we have, I was told to use Root 2 - GeoTrust Global CA.  Working on that now and will try to advise here once I have things running.

Ron

New Member

Re: Failed to initialize PEAP or EAP-TLS authentication protocol

Hello,

After my ACS certificate expired I experienced the same problem. We use a root CA - issuing CA construct. The CA certifcate of the ACS pointed to the Root CA, and it was the only certificate in the trusted list. The Issuing CA certificate was not in the trusted list. This was never a problem before, but now on one of my two ACS servers, I got this problem. After removing the root CA from the trust list, inserting both CA server certificates (first the Root CA and then the Issuing CA) and enabling them in the trust list I was able to activate the PEAP settings! Note: keep restarting the ACS service as required bij the interface.

Good Luck,

Gerhald.

3384
Views
0
Helpful
4
Replies