08-27-2008 05:40 AM - edited 03-10-2019 04:03 PM
I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
11:48:53.088 Validating the server.
11:48:53.088 Server list is empty, trusted server can not be validated.
11:48:53.088 Server list is empty, trusted server can not be validated.
11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
11:48:54.776 The authentication process has failed.
If I look at the Auth log on ACS (set to full logging) it states:
AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
If I configure the client to not check the servers certificate it all works ok.
Can anyone tell me why my server certificate is getting rejected?
Thanks,
Paul
09-02-2008 05:46 AM
If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.
09-02-2008 08:39 AM
Can you tell me where I find this user name as I don't know what it is.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide