03-03-2014 01:44 AM - edited 07-05-2021 12:19 AM
Hi,
I am using 802.1x and EAP-TLS as authentication protocol. The clients are not able to pass the authentication the error log on ACS is
Authentication failed: EAP-TLS handshake failed SSL/TLS handshake because of an unknown CA in the client certification chain.
I have installed certificates on the WLC and ACS, however authentication is unsuccessful.
Can anybody help regarding this issue.
Solved! Go to Solution.
03-03-2014 02:48 AM
Hi Sandeep,
Web auth certificate is defult certificate in wlc but you can also use your own(3rd party).
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html
Virtual interface : This interface handles any mobility management, VPN Termination, Web authentication, and is also a DHCP relay for WLAN clients.
--------------------------------
Yes its interconnected, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.
1. Guest Client go to google.com
2. Client goes to DNS (the one its is assign in DHCP)
3. DNS resolves the DNS for google.com
4. Client then attempts to go to google.com
5. Controller intercepts GET and replaces it with a 1.1.1.1
6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)
7. DNS then gets resolve to the name (example guest.xxx.com)
8. Controller presents the guest screen
Hope it helps.
Regards
Dont forget to rate helpful posts
03-03-2014 01:57 AM
HI sandeep,
I think you did not installed the CA in the ACS.
Ensure that the certificate authority that signed the client's certificate is correctly installed in the Certificate Authorities page (Users and Identity Stores > Certificate Authorities). If it is a multi-tiered CA you can add each certificate in the chain here.
Regards
Dont forget to rate helpful posts
03-03-2014 02:04 AM
Hi,
I have installed and verified the certificate on ACS and WLC.
Can you help me regarding the hostname on virtual interface of the WLC. Is it mandatory i mean ??
03-03-2014 02:15 AM
HI Sandeep,
The Virtual interface DNS hostname must be equal to the CN of your certificate.An entry in the client DNS to links this DNS hostname to the virtual ip address (1.1.1.1)
The thing is that, this is what the client verifies "I'm being presented a certificate, does the name matches the URL I'm currently onto .
So it means that the WLC wont' redirect the client to "http://1.1.1.1" anymore but to the hostname you configured on the virtual interface. Hence this hostname needs to be DNS resolvable.
As per my exp: this is normally used for webauth.
More info
Regards
03-03-2014 02:31 AM
Hi ,
Thanks Sandeep
Also wanted to know, is there any relation between virtual interface and device(WLC) certificates , or this is just to be used for web authentication.
03-03-2014 02:48 AM
Hi Sandeep,
Web auth certificate is defult certificate in wlc but you can also use your own(3rd party).
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html
Virtual interface : This interface handles any mobility management, VPN Termination, Web authentication, and is also a DHCP relay for WLAN clients.
--------------------------------
Yes its interconnected, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.
1. Guest Client go to google.com
2. Client goes to DNS (the one its is assign in DHCP)
3. DNS resolves the DNS for google.com
4. Client then attempts to go to google.com
5. Controller intercepts GET and replaces it with a 1.1.1.1
6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)
7. DNS then gets resolve to the name (example guest.xxx.com)
8. Controller presents the guest screen
Hope it helps.
Regards
Dont forget to rate helpful posts
03-03-2014 03:01 AM
Thanks for the info.
03-03-2014 03:28 AM
Hi
can you share some information regarding Local Significant Certificate and Vendor certs.
The certificate i have installed on WLC shows up under the vendor cert tab but not on the LSC tab.
???
Will this work or do i need have the LSC also installed.
03-03-2014 03:41 AM
Here are the details about LSC:
Third Party Certificate:
Yes thats rights, you dont see under LSC.It will work.
Regards
Dont forget to rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide