09-14-2006 06:01 AM - edited 07-04-2021 01:06 PM
Hi,
I currently deploy a Wireless Unified Infrastructure based on Airespace Technology.
I provided a diagram in enclosure.
I want to use the eap-peap authentication, based on Windows Logon/Password.
My Wireless Client will use an Intel Wireless Adapter (Intel Pro/Wireless 2200BG) with Intel ProSet/Wireless Supplicant (v. 10.5.0.0).
I am going to use ACS Cisco Server to authenticate and authorize my clients.
I followed the documentation on ACS to use PEAP, but i have an issue in the log "Failed Attempts" :
--> "EAP-TLS or PEAP authentication failed during SSL handshake"
in the logs "CSAuth" :
--> EAP: PEAP: ProcessResponse: SSL handshake failed, status = 3 (SSL recv alert fatal:bad certificate)
Apparently, it's a certificate's problem.
However, I installed a certificate while using Generate Self-Signed Certificate on ACS, and I check it on "Certificate Trust List".
On the other hand, i don't now what CRL Distribution URL I must put on "Certificate Revocation List".
Could you help me, please ?
Thanks,
Ben
ps:sorry for my english, i am french
09-20-2006 06:37 AM
One of the reasons might be does not have an "extKeyUsage" extension of "serverAuth" (OID = 1.3.6.1.5.5.7.3.1). This extension is considered a standard for SSL servers, and is quite likely the reason for the certificate being rejected by the client.If you use openssl manually, then you would create a file (let's call it "xpextensions") with the following contents,
[xpclient_ext], extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [xpserver_ext],extendedKeyUsage = 1.3.6.1.5.5.7.3.1 and you would include the following command-line arguments for openssl when creating the certificate:"-extensions xpserver_ext -extfile ./xpextensions"
09-30-2006 12:29 PM
Hi ,
Just confirming do you have user cert on the laptop
can you get aa debgs/logs from ACS and controller
- Seema
10-01-2006 07:19 AM
Did you install the ACS certificate on the client ???
PEAP doesn't require client side certificates but the client must be able to "trust' the ACS server.
10-03-2006 09:24 PM
To check your setup , install self sign certificate on the ACS and uncheck the " Validate server certificate" option on your laptop ( under Windows Zero config ).
10-12-2006 12:44 AM
Does anyone know how to get the user a certificate to trust the ACS? (So that the "Validate server certificate" can be checked)
TIA
Rob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide