Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLC to ACS v5 to AD - PEAP Handshake Failed

Hi

I have a Cisco WLC talking to a ACS 4400 version 5.1 which in turn talks to Active Directory.

Ive been trying to get 802.1x for wireless clients going, I have a cert on the ACS from verisign on the box but when users try to sign in they get 12309 PEAP handshake failed in the ACS RADIUS log.

The cert was exported and placed directly on the testing laptop and at one point it all worked.  I stepped away from it for 2 weeks to get a new internal CA built on a windows box, now coming back to it with the intent of issuing new certs to the ACS from the internal CA and thought I would check it to make sure all was good, but its not.

Google doesn’t return happy results for “12309 PEAP handshake failed”, I opened a TAC case on it and they took my cert to their lab.  Haven’t heard back.  I was wondering if the netpro community had any ideas.

e-

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: WLC to ACS v5 to AD - PEAP Handshake Failed

Eric,

     Clients need to verify that they trust the certificate installed on ACS.  Make sure you install

     the CA certificate from your internal CA onto your laptop.  A good way to tell if this is the issue

     is to uncheck the "verify server certificate" checkbox on your client and see if it still fails.

--Jesse

Cisco Employee

Re: WLC to ACS v5 to AD - PEAP Handshake Failed

Are you authenticating a user or a machine when this error is seen?

--Jesse

Cisco Employee

Re: WLC to ACS v5 to AD - PEAP Handshake Failed

Eric,

     Try to authenticate to an internal ACS user and see if you have the same problem.

     If that works then you at least have it narrowed down to ACS/AD communication and

     can concentrate on that in the TAC case.  Unfortunatly I have not seen the exact error

     you are running into.

--Jesse

7 REPLIES
Cisco Employee

Re: WLC to ACS v5 to AD - PEAP Handshake Failed

Eric,

     Clients need to verify that they trust the certificate installed on ACS.  Make sure you install

     the CA certificate from your internal CA onto your laptop.  A good way to tell if this is the issue

     is to uncheck the "verify server certificate" checkbox on your client and see if it still fails.

--Jesse

Anonymous
N/A

Re: WLC to ACS v5 to AD - PEAP Handshake Failed

Yeah thats what I thought, and thats what TAC said too.

We removed "verify" on the suplication, and tested for the cert from the internal CA and one from Verisign.  Both reside on the laptop.  In both cases a 12309 PEAP handshake failed error shows up in the radius log.

I'm lost as to the cause.

e-

Cisco Employee

Re: WLC to ACS v5 to AD - PEAP Handshake Failed

Are you authenticating a user or a machine when this error is seen?

--Jesse

Anonymous
N/A

Re: WLC to ACS v5 to AD - PEAP Handshake Failed

It should be user.

The WLC defers to ACS for a user based on AD securty group membership, and the suplicant(when the option is cleared) asks for a user name and password.

Cisco Employee

Re: WLC to ACS v5 to AD - PEAP Handshake Failed

Eric,

     Try to authenticate to an internal ACS user and see if you have the same problem.

     If that works then you at least have it narrowed down to ACS/AD communication and

     can concentrate on that in the TAC case.  Unfortunatly I have not seen the exact error

     you are running into.

--Jesse

New Member

WLC to ACS v5 to AD - PEAP Handshake Failed

Any progress on this one?  I am getting a similar error, but between my controllers and Cisco ISE (still using Raidus).

New Member

Hello!we have similar problem

Hello!

we have similar problem.

WLC uses ACS as a RADIUS server to authenticate AD users with PEAP/MSCHAPv2.

ACS certificate is issued by GeoTrust certificate.

After GeoTrust reissued CRL, wifi users stopped being authenticated with an error "12309 PEAP handshake failed" on the ACS.

 

2137
Views
0
Helpful
7
Replies