Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

handshake SSL !!!

Hi,

I currently deploy a Wireless Unified Infrastructure based on Airespace Technology.

I provided a diagram in enclosure.

I want to use the eap-peap authentication, based on Windows Logon/Password.

My Wireless Client will use an Intel Wireless Adapter (Intel Pro/Wireless 2200BG) with Intel ProSet/Wireless Supplicant (v. 10.5.0.0).

I am going to use ACS Cisco Server to authenticate and authorize my clients.

I followed the documentation on ACS to use PEAP, but i have an issue in the log "Failed Attempts" :

--> "EAP-TLS or PEAP authentication failed during SSL handshake"

in the logs "CSAuth" :

--> EAP: PEAP: ProcessResponse: SSL handshake failed, status = 3 (SSL recv alert fatal:bad certificate)

Apparently, it's a certificate's problem.

However, I installed a certificate while using Generate Self-Signed Certificate on ACS, and I check it on "Certificate Trust List".

On the other hand, i don't now what CRL Distribution URL I must put on "Certificate Revocation List".

Could you help me, please ?

Thanks,

Ben

ps:sorry for my english, i am french

5 REPLIES
Bronze

Re: handshake SSL !!!

One of the reasons might be does not have an "extKeyUsage" extension of "serverAuth" (OID = 1.3.6.1.5.5.7.3.1). This extension is considered a standard for SSL servers, and is quite likely the reason for the certificate being rejected by the client.If you use openssl manually, then you would create a file (let's call it "xpextensions") with the following contents,

[xpclient_ext], extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [xpserver_ext],extendedKeyUsage = 1.3.6.1.5.5.7.3.1 and you would include the following command-line arguments for openssl when creating the certificate:"-extensions xpserver_ext -extfile ./xpextensions"

Cisco Employee

Re: handshake SSL !!!

Hi ,

Just confirming do you have user cert on the laptop

can you get aa debgs/logs from ACS and controller

- Seema

New Member

Re: handshake SSL !!!

Did you install the ACS certificate on the client ???

PEAP doesn't require client side certificates but the client must be able to "trust' the ACS server.

New Member

Re: handshake SSL !!!

To check your setup , install self sign certificate on the ACS and uncheck the " Validate server certificate" option on your laptop ( under Windows Zero config ).

New Member

Re: handshake SSL !!!

Does anyone know how to get the user a certificate to trust the ACS? (So that the "Validate server certificate" can be checked)

TIA

Rob

227
Views
0
Helpful
5
Replies
CreatePlease login to create content