Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3034
Views
0
Helpful
8
Replies

EAP-TLS error .........failed SSL/TLS handshake because of an unknown CA in client certificate chain

Go to solution
Sandeep Verma
Level 1
Level 1

‎03-03-2014 01:44 AM - edited ‎07-05-2021 12:19 AM

Hi,

I am using 802.1x and EAP-TLS as authentication protocol. The clients are not able to pass the authentication the error log on ACS is

Authentication failed: EAP-TLS handshake failed SSL/TLS handshake because of an unknown CA in the client certification chain.

I have installed certificates on the WLC and ACS, however authentication is unsuccessful.

Can anybody help regarding this issue.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to Sandeep Verma

‎03-03-2014 02:48 AM

Hi Sandeep,

Web auth certificate is defult certificate in wlc but you can also use your own(3rd party).

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html

Virtual interface : This interface handles any mobility management, VPN Termination, Web authentication, and is also a DHCP relay for WLAN clients.

--------------------------------

Yes its interconnected, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.

1. Guest Client go to google.com

2. Client goes to DNS (the one its is assign in DHCP)

3. DNS resolves the DNS for google.com

4. Client then attempts to go to google.com

5. Controller intercepts GET and replaces it with a 1.1.1.1

6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)

7. DNS then gets resolve to the name (example guest.xxx.com)

8. Controller presents the guest screen

Hope it helps.

Regards

Dont forget to rate helpful posts

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni

‎03-03-2014 01:57 AM

HI sandeep,

I think you did not installed the CA in the ACS.

Ensure that the certificate authority that signed the client's certificate is  correctly installed in the Certificate Authorities page (Users and Identity Stores > Certificate Authorities). If it is a multi-tiered CA you can add each certificate in the chain here.

Regards

Dont forget to rate helpful posts

0 Helpful

Go to solution
Sandeep Verma
Level 1
Level 1
In response to Sandeep Choudhary

‎03-03-2014 02:04 AM

Hi,

I have installed and verified the certificate on ACS and WLC.

Can you help me regarding the hostname on virtual interface of the WLC. Is it mandatory i mean ??

0 Helpful

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to Sandeep Verma

‎03-03-2014 02:15 AM

HI Sandeep,

The Virtual interface DNS hostname must be equal to the CN of your certificate.An entry in the client DNS to links this DNS hostname to the virtual ip address (1.1.1.1)

The thing is that, this is what the client verifies "I'm being presented a certificate, does the name matches the URL I'm currently onto .

So it means that the WLC wont' redirect the client to "http://1.1.1.1" anymore but to the hostname you configured on the virtual interface. Hence this hostname needs to be DNS resolvable.

As per my exp: this is normally used for webauth.

More info VIr.png

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/108501-webauth-tshoot.html

Regards

0 Helpful

Go to solution
Sandeep Verma
Level 1
Level 1
In response to Sandeep Choudhary

‎03-03-2014 02:31 AM

Hi ,

Thanks Sandeep

Also wanted to know, is there any relation between virtual interface and device(WLC) certificates , or this is just to be used for web authentication.

0 Helpful

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to Sandeep Verma

‎03-03-2014 02:48 AM

Hi Sandeep,

Web auth certificate is defult certificate in wlc but you can also use your own(3rd party).

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html

Virtual interface : This interface handles any mobility management, VPN Termination, Web authentication, and is also a DHCP relay for WLAN clients.

--------------------------------

Yes its interconnected, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.

1. Guest Client go to google.com

2. Client goes to DNS (the one its is assign in DHCP)

3. DNS resolves the DNS for google.com

4. Client then attempts to go to google.com

5. Controller intercepts GET and replaces it with a 1.1.1.1

6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)

7. DNS then gets resolve to the name (example guest.xxx.com)

8. Controller presents the guest screen

Hope it helps.

Regards

Dont forget to rate helpful posts

0 Helpful

Go to solution
Sandeep Verma
Level 1
Level 1
In response to Sandeep Choudhary

‎03-03-2014 03:01 AM

Thanks for the info.

0 Helpful

Go to solution
Sandeep Verma
Level 1
Level 1
In response to Sandeep Verma

‎03-03-2014 03:28 AM

Hi

can you share some information regarding Local Significant Certificate and Vendor certs.

The certificate i have installed on WLC shows up under the vendor cert tab but not on the LSC tab.

???

Will this work or do i need have the LSC also installed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card