cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
923
Views
0
Helpful
3
Replies

PEAP authentication problem

j.tandel
Level 1
Level 1

am trying to user PEAP on my AP's in the Enterprise. It works fine when used as WPA2. But when i use dot1x it gives me error 'auidentified server identity'. I am using ACS 3.3 & using self signed cert. on the ACS. The same cert. i have installed in one Wireless Client. but it gives me error all the time. The error in ACS failed attempt is 'EAP-TLS or PEAP authentication failed during SSL handshake'

Pl. help.

3 Replies 3

robert.wright
Level 1
Level 1

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

"#

If the ACS's certificate on the wireless client is invalid (which depends on the certificate's valid "from" and "to" dates, the client's date and time settings, and CA trust), then the client will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." The expected error message in the CSAuth.log file is similar to the following.

AUTH 06/04/2003 14:56:41 E 0345 1644 EAP: buildEAPRequestMsg:

other side probably didn't accept our certificate

#

If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.

AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:

SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)

"

I do not have a CA in my Enterprise. I am using the ACS self-signed certificate. Also adding this certificate in the ACS Cert. Storage & also trusting the cert.

The same cert. i am installing in the client.

Do i have to use a different cert. for the client or i can use the same cert. for ACS server as well as wireless clients.

Are the dates on those certificates valid? IE make sure it has not expired.I would double check that log file which that page references for additional help in troubleshooting this issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: