Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PEAP authentication failed during SSL handshake

I'm getting the error message "EAP-TLS or PEAP authentication failed during SSL handshake" whille trying to authenticate using PEAP with Win2k & ACS 3.2.1. I am sure it's a certificate issue. if anybody out there could clue me in on how they got their certificate installed I'd appreciate it... I've tried a couple different instructions on Cisco's site (and others) and have had no luck.



New Member

Re: PEAP authentication failed during SSL handshake

This is the debug from the AP:

1d05h: dot11_dot1x_send_response_to_client: Forwarding server message to client


1d05h: dot11_dot1x_parse_client_pak: Received EAPOL packet from 0007.eb31.4db5,

type 0

1d05h: dot11_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 0007


1d05h: dot11_dot1x_send_response_to_server: Sending client 0007.eb31.4db5 data t

o server

1d05h: RADIUS: AAA Unsupported [136] 3

1d05h: RADIUS: 33 [3]

1d05h: RADIUS(00000245): Using existing nas_port 329

1d05h: RADIUS/ENCODE(00000245): dropping service type, "radius-server attribute

6 on-for-login-auth" is off

1d05h: RADIUS/ENCODE(00000245): acct_session_id: 581

1d05h: RADIUS(00000245): sending

1d05h: RADIUS: Send to unknown id 70, Access-Request, len 361

1d05h: RADIUS: authenticator 7F D9 46 F1 BF 8F 16 1F - 84 46 76 7C C1 2F 4D A4

1d05h: RADIUS: User-Name [1] 26 "APPLY.ORG\USER001"

1d05h: RADIUS: Framed-MTU [12] 6 1400

1d05h: RADIUS: Called-Station-Id [30] 16 "0002.8a78.b393"

1d05h: RADIUS: Calling-Station-Id [31] 16 "0007.eb31.4db5"

1d05h: RADIUS: Message-Authenticato[80] 18 *

1d05h: RADIUS: EAP-Message [79] 194

1d05h: RADIUS: 02 06 00 C0 19 80 00 00 00 B6 16 03 01 00 86 10 [?????????????


1d05h: RADIUS: 00 00 82 00 80 07 F9 07 D3 0A 4B DB 83 B1 CC C1 [??????????K??


1d05h: RADIUS: EB 3A 2A 98 1E EB 85 B2 4F B6 51 EF F7 83 82 BE [?:*?????O?Q??


1d05h: RADIUS: D2 BE D3 22 71 82 A8 5C F0 17 3C C6 9B 22 9C 45 [???"q??\??


1d05h: RADIUS: 6F 38 A3 10 B8 73 EC 9C 7E 48 CD 0B AC 63 97 B1 [o8???s??~H???


1d05h: RADIUS: 03 A8 A7 93 FB 88 90 01 70 5A 44 93 8D AD E1 1D [????????pZD??


1d05h: RADIUS: 73 DF DA 86 31 1D 54 9A CB C1 E8 CF 72 8E A2 98 [s???1?T?????r


1d05h: RADIUS: FC 3A 18 AE 1D E9 BB 02 37 03 B8 7F DB B2 41 68 [?:??????7????


1d05h: RADIUS: E3 B3 7C FD 8E 9E 0F 13 44 05 D6 3B 9D AA 66 25 [??|?????D??;?


1d05h: RADIUS: 8C CA 58 02 D8 14 03 01 00 01 01 16 03 01 00 20 [??X??????????

?? ]

1d05h: RADIUS: BA FE 3E 54 12 93 13 D7 1A FC 40 A5 A2 F4 52 73 [??>T??????@??


1d05h: RADIUS: C9 CE CF F5 AC 6F 1C 35 E1 51 59 D2 F5 93 5B A3 [?????o?5?QY??


1d05h: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

1d05h: RADIUS: NAS-Port [5] 6 329

1d05h: RADIUS: State [24] 36

1d05h: RADIUS: 43 49 53 43 4F 2D 45 41 50 2D 43 48 41 4C 4C 45 [CISCO-EAP-CHA


1d05h: RADIUS: 4E 47 45 3D 30 2E 66 66 66 66 66 66 66 66 2E 32 [NGE=0.fffffff


1d05h: RADIUS: 2E 34 [.4]

1d05h: RADIUS: NAS-IP-Address [4] 6

1d05h: RADIUS: Nas-Identifier [32] 11 "AP-TEST"

1d05h: RADIUS: Received from id 70, Access-Reject, len 56

1d05h: RADIUS: authenticator 43 9C 4A B1 B5 C5 DA 3A - 89 58 02 8B B8 3D 78 F8

1d05h: RADIUS: EAP-Message [79] 6

1d05h: RADIUS: 04 06 00 04 [????]

1d05h: RADIUS: Reply-Message [18] 12

1d05h: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]

1d05h: RADIUS: Message-Authenticato[80] 18 *

1d05h: RADIUS: Received from id 245

1d05h: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes

1d05h: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes

1d05h: dot11_dot1x_parse_aaa_resp: Received server response: FAIL

1d05h: dot11_dot1x_parse_aaa_resp: found eap pak in server response

1d05h: dot11_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0007.


1d05h: dot11_dot1x_send_response_to_client: Forwarding server message to client


1d05h: dot11_dot1x_send_client_fail: Authentication failed for 0007.eb31.4db5

1d05h: dot11_dot1x_update_holdlist_client: Client holdlist attempts = 3

1d05h: dot11_dot1x_update_holdlist_client: Restarting holdoff timer...600 (secs)

1d05h: %DOT11-7-AUTH_FAILED: Station 0007.eb31.4db5 Authentication failed

New Member

Re: PEAP authentication failed during SSL handshake


New Member

Re: PEAP authentication failed during SSL handshake


I also had this error. It was because the client tried to check the server's certificate.

I unchecked on the client the option "Validate server certificate".

Maybe you have the same problem.

New Member

Re: PEAP authentication failed during SSL handshake

I think I tried that, but I'll give it another go and see what happens.

New Member

Re: PEAP authentication failed during SSL handshake

It was happend to me this problem too. It Happens when i erase a certificate (in the client) that i was previously request (with no problems), and when i request again, and try to reuathentificate, the problem appears...

The solution : I don't know, I tried to erase de SSL Cache in the client, but seems this is no the


The SOLUTION that works to me is to restart AP (power off power on)... I restart de ACS just in case... and then, the error not appear any more...

good look

Enrique Lopez

Ingeniero de Proyectos Magenta S.A.

New Member

Re: PEAP authentication failed during SSL handshake

Hi Ben!

I`ve had the same problem until i did the following (starting from the begining):

1. Installed w2k (Standalone server) with SP4 (ONLY, no other patches).

2. Install CS v.3.2

3. Install the MS CA server (sharing a folder, CAConfig)

4. Install the initial (CA) certificate on the ACS (NOT in the "CA Authority...", only "Install a certificate").

5. Restart - after restart "Edit certificate... - mark your MS CA server.

6. Mark EAP-TLS and EAP-GTC - restart

7. From the client PC - go the webpage of your CA server - choose "Request.., then Advanced Request - in the name field WRITE the User (logon name) name of the user requesting the certificate, choose "Client Authentication", mark "Keys as Exportible", mark "Use local Machine Store" - click submit

8. Issue the client certificate from the CA server.

9. Go to the CA webpage (from the client PC), and install the certificate.

10. From the client PC, choose "Run" write "mmc /c.

11. Choose "Action", and the "Install Snap-in" - choose "Client certificate" - check to se if everything is correct.

12. Configure the 802.1X settings - choose PEAP, and "Keys are provided.." click next (or advanced, don`t remember. I`m not in my office when I`m writing this), from the pulldown list, choose your CA.

13. On that page choose your "Windows login.." password.

By doing like this, i made work...but i prefer LEAP.


CreatePlease login to create content