Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

EAP-TLS failed Reason: Bad Certificate


I have:

PCSTATION------>AP1250-------->WLC-1---->ACS4.1(radius)------->MS CA

PCSTATION (00:11:00:22:00:33)

AP1250 (00:44:00:55:00:66)


Im trying to install EAP-TLS Authenticatin in my lab. I have followed procedure from cisco documentation:

EAP-TLS under Unified Wireless Network with ACS 4.0 and Windows 2003

But I cant connect my Client PCStation on SSID JELEN. On my ACS4.1>Reports and Activity>Failed attempts I have:

Authen-Failure-Code: EAP-TLS or PEAP authentication failed during SSL handshake

I send to you output from Wireshark. You can see reason for failed is:

TLSv1 Alert (Level: Fatal, Description: Bad Certificate)

What is the problem, I think that I have valid certificate on ACS4.1 and Client station PCSTATION?

Pleas help


  • Security and Network Management

Re: EAP-TLS failed Reason: Bad Certificate

As we can see that we are able to get clients authenticated when we deselect 'Validate Server Certificate'. And we get 'EAP-TLS or PEAP authentication failed during SSL handshake' error.

Its possible that certificate on client is not properly able to authenticate ACS server certificate.

Please check following :

Install the Root CA Certificate for the Client :

Complete these steps.

[1] From the client PC, browse to the CA -http://IP_of_CA_server/certsrv/.

[2] Select Retrieve a CA certificate and click Next.

[3] Select Base64 Encoding and Download CA certificate.

[4] Click Open and select Install Certificate.

[5] Click Next.

[6] Select Place all certificates in the following store and then click Browse.

[7] Check the Show physical stores box.

[8] Expand Trusted root certification authorities, select local computer, and click OK.

[9] Click Next, click Finish, and click OK for "The import was successful" box.

Also check the root CA that we have installed on client under validate server certificate

For Further information about ACS Certificate Setup click this link.

New Member

Re: EAP-TLS failed Reason: Bad Certificate


I already followed this procedure. All certificate are properly generated and installed. Problem was bad configuration on my wirelles Card on client device.


wireless network Connection properties>Authentication>Smart Card or other Certificate>Properties I checked Validate server certificate. And I also checked Connect to these servers:

But in field: Connect to these servers, i have written name of my MS CA server instead name of my ACS 4.1 server.

When in this field writte address of MS CA server everything works perfect.

Of course I have also checked name of my MS CA in Trusted Root Certification Authorities list.

Thank you for your response, 5.0 from me.