Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Wired 802.1x EAP-TLS Server Certificate Problem

I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).

If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:

11:48:53.088 Validating the server.

11:48:53.088 Server list is empty, trusted server can not be validated.

11:48:53.088 Server list is empty, trusted server can not be validated.

11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.

11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)

11:48:54.776 The authentication process has failed.

If I look at the Auth log on ACS (set to full logging) it states:

AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000

AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)

If I configure the client to not check the servers certificate it all works ok.

Can anyone tell me why my server certificate is getting rejected?

Thanks,

Paul

2 REPLIES
Bronze

Re: Wired 802.1x EAP-TLS Server Certificate Problem

If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.

New Member

Re: Wired 802.1x EAP-TLS Server Certificate Problem

Can you tell me where I find this user name as I don't know what it is.

Thanks

412
Views
0
Helpful
2
Replies
CreatePlease to create content