Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

EAP-TLS error .........failed SSL/TLS handshake because of an unknown CA in client certificate chain

Hi,

I am using 802.1x and EAP-TLS as authentication protocol. The clients are not able to pass the authentication the error log on ACS is

Authentication failed: EAP-TLS handshake failed SSL/TLS handshake because of an unknown CA in the client certification chain.

I have installed certificates on the WLC and ACS, however authentication is unsuccessful.

Can anybody help regarding this issue.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

EAP-TLS error .........failed SSL/TLS handshake because of an un

Hi Sandeep,

Web auth certificate is defult certificate in wlc but you can also use your own(3rd party).

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html

Virtual interface : This interface handles any mobility management, VPN Termination, Web authentication, and is also a DHCP relay for WLAN clients.

--------------------------------

Yes its interconnected, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.

1. Guest Client go to google.com

2. Client goes to DNS (the one its is assign in DHCP)

3. DNS resolves the DNS for google.com

4. Client then attempts to go to google.com

5. Controller intercepts GET and replaces it with a 1.1.1.1

6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)

7. DNS then gets resolve to the name (example guest.xxx.com)

8. Controller presents the guest screen

Hope it helps.

Regards

Dont forget to rate helpful posts

8 REPLIES
VIP Purple

EAP-TLS error .........failed SSL/TLS handshake because of an un

HI sandeep,

I think you did not installed the CA in the ACS.

Ensure that the certificate authority that signed the client's certificate is  correctly installed in the Certificate Authorities page (Users and Identity Stores > Certificate Authorities). If it is a multi-tiered CA you can add each certificate in the chain here.

Regards

Dont forget to rate helpful posts

New Member

EAP-TLS error .........failed SSL/TLS handshake because of an un

Hi,

I have installed and verified the certificate on ACS and WLC.

Can you help me regarding the hostname on virtual interface of the WLC. Is it mandatory i mean ??

VIP Purple

EAP-TLS error .........failed SSL/TLS handshake because of an un

HI Sandeep,

The Virtual interface DNS hostname must be equal to the CN of your certificate.An entry in the client DNS to links this DNS hostname to the virtual ip address (1.1.1.1)

The thing is that, this is what the client verifies "I'm being presented a certificate, does the name matches the URL I'm currently onto .

So it means that the WLC wont' redirect the client to "http://1.1.1.1" anymore but to the hostname you configured on the virtual interface. Hence this hostname needs to be DNS resolvable.

As per my exp: this is normally used for webauth.

More info VIr.png

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/108501-webauth-tshoot.html

Regards

New Member

EAP-TLS error .........failed SSL/TLS handshake because of an un

Hi ,

Thanks Sandeep

Also wanted to know, is there any relation between virtual interface and device(WLC) certificates , or this is just to be used for web authentication.

VIP Purple

EAP-TLS error .........failed SSL/TLS handshake because of an un

Hi Sandeep,

Web auth certificate is defult certificate in wlc but you can also use your own(3rd party).

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html

Virtual interface : This interface handles any mobility management, VPN Termination, Web authentication, and is also a DHCP relay for WLAN clients.

--------------------------------

Yes its interconnected, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.

1. Guest Client go to google.com

2. Client goes to DNS (the one its is assign in DHCP)

3. DNS resolves the DNS for google.com

4. Client then attempts to go to google.com

5. Controller intercepts GET and replaces it with a 1.1.1.1

6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)

7. DNS then gets resolve to the name (example guest.xxx.com)

8. Controller presents the guest screen

Hope it helps.

Regards

Dont forget to rate helpful posts

New Member

EAP-TLS error .........failed SSL/TLS handshake because of an un

Thanks for the info.

New Member

EAP-TLS error .........failed SSL/TLS handshake because of an un

Hi

can you share some information regarding Local Significant Certificate and Vendor certs.

The certificate i have installed on WLC shows up under the vendor cert tab but not on the LSC tab.

???

Will this work or do i need have the LSC also installed.

VIP Purple

EAP-TLS error .........failed SSL/TLS handshake because of an un

792
Views
0
Helpful
8
Replies