Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
618
Views
0
Helpful
5
Replies

handshake SSL !!!

benjamin.heron
Level 1
Level 1

‎09-14-2006 06:01 AM - edited ‎07-04-2021 01:06 PM

Hi,

I currently deploy a Wireless Unified Infrastructure based on Airespace Technology.

I provided a diagram in enclosure.

I want to use the eap-peap authentication, based on Windows Logon/Password.

My Wireless Client will use an Intel Wireless Adapter (Intel Pro/Wireless 2200BG) with Intel ProSet/Wireless Supplicant (v. 10.5.0.0).

I am going to use ACS Cisco Server to authenticate and authorize my clients.

I followed the documentation on ACS to use PEAP, but i have an issue in the log "Failed Attempts" :

--> "EAP-TLS or PEAP authentication failed during SSL handshake"

in the logs "CSAuth" :

--> EAP: PEAP: ProcessResponse: SSL handshake failed, status = 3 (SSL recv alert fatal:bad certificate)

Apparently, it's a certificate's problem.

However, I installed a certificate while using Generate Self-Signed Certificate on ACS, and I check it on "Certificate Trust List".

On the other hand, i don't now what CRL Distribution URL I must put on "Certificate Revocation List".

Could you help me, please ?

Thanks,

Ben

ps:sorry for my english, i am french

Labels:
34501-Wireless Structure.VSD
0 Helpful
5 Replies 5

pradeepde
Level 5
Level 5

‎09-20-2006 06:37 AM

One of the reasons might be does not have an "extKeyUsage" extension of "serverAuth" (OID = 1.3.6.1.5.5.7.3.1). This extension is considered a standard for SSL servers, and is quite likely the reason for the certificate being rejected by the client.If you use openssl manually, then you would create a file (let's call it "xpextensions") with the following contents,

[xpclient_ext], extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [xpserver_ext],extendedKeyUsage = 1.3.6.1.5.5.7.3.1 and you would include the following command-line arguments for openssl when creating the certificate:"-extensions xpserver_ext -extfile ./xpextensions"

0 Helpful

segopala
Cisco Employee
Cisco Employee
In response to pradeepde

‎09-30-2006 12:29 PM

Hi ,

Just confirming do you have user cert on the laptop

can you get aa debgs/logs from ACS and controller

- Seema

0 Helpful

dsidley
Level 1
Level 1

‎10-01-2006 07:19 AM

Did you install the ACS certificate on the client ???

PEAP doesn't require client side certificates but the client must be able to "trust' the ACS server.

0 Helpful

jasjsingh
Level 1
Level 1

‎10-03-2006 09:24 PM

To check your setup , install self sign certificate on the ACS and uncheck the " Validate server certificate" option on your laptop ( under Windows Zero config ).

0 Helpful

robsimkins
Level 1
Level 1

‎10-12-2006 12:44 AM

Does anyone know how to get the user a certificate to trust the ACS? (So that the "Validate server certificate" can be checked)

TIA

Rob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card