Trust Agent Problem: EAP-TLS or PEAP authentication failed
I'm currently experiencing problems with the installation of the ACS-certificate on the client. I'm using an external CA-certificate that is correctly installed on the ACS-server (see other topic).
Now the clients also needs the ACS-certificate to be added so that a EAP-tunnel can be established between the client (Trust Agent) and the ACS-server.
Notice that the CA Root-certificate is added on the client under "Trusted Root Certificates" so that shouldn't be the problem.
When I'm using the supplied tool "ctacert.exe" like this:
ctacert.exe /add "C:\cert.cer" /store "root"
...I always get the following error:
"Cisco Systems Trust Agent Certificate has encountered a problem and needs to close. We are sorry for the inconvenience."
The next step I tried is to install the certificate manually (by double-clicking it and choosing the option "Install certificate"). I've chosen to install it in "Trusted Root Certification Authorities/Local Computer" (the so called physical store). This was successful. However, the certificate, for some reason, isn't placed in "Trusted Root Certification Authorities", but in the "Other People" store.
When I'm starting up the client-computer I get prompted for the username several times, and sometimes I receive the following pop-up prompt:
"You have no certificate in your personal store to be used as credentials for authentication with network Cisco Trust Agent 802.1x ..."
There aren't any ACLs and stuff on the testrouters so that can't be the problem.
Re: Trust Agent Problem: EAP-TLS or PEAP authentication failed
Looks like I found the solution myself:
My client is in a test Windows domain, but the ACS isn't yet configured for external user database use. So i'm only using the internal database.
If you're in the same test situation, make sure that under "Global Authentication Setup > EAP-FAST configuration" the option "Require client certificate for provisioning" is unmarked under "allow authenticated PAC provisioning". Otherwise, the EAP-FAST SSL-tunnel might not be established.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :