Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Unable to Authenticate PEAP users with ACS

Hi

I have configured PEAP authentication on WLC and ACS using RADIUS. My clients unbale to authenticate with server.

When I run troubleshooting on server it give me following error ( Attachted picture).

Can anyone help me to fix the issues.

Also I need to know at which place we need to install certificate on ACS.

I had it installed under  "Users and Identity Stores > Certificate Authorities"

Do I also need to install same certs under

System Administration > Configuration > Local Server Certificates >

Local Certificates

Thank you,

Nilay

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

Unable to Authenticate PEAP users with ACS

PEAP requires the AAA server to have a certificate that allows user authentication.

Did you install a Cert from your CA, or use the Generate Self Signed Certificate option on the ACS?

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
16 REPLIES

Unable to Authenticate PEAP users with ACS

PEAP requires the AAA server to have a certificate that allows user authentication.

Did you install a Cert from your CA, or use the Generate Self Signed Certificate option on the ACS?

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Unable to Authenticate PEAP users with ACS

Yes I have Cert signed from CA.

Cert agency is Entrust.net Certification Authority

Just need to know where should I install Certificate on ACS 5.3 ?

Thank you,

NIlay

Re: Unable to Authenticate PEAP users with ACS

Nilay:

The location under ca certificates is for the server to trust user certificates (used if you use eap-tls)

You need to configure the certificate under the other location for peap:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/admin_config.html#wpxref44329

HTH

Amjad

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
New Member

Unable to Authenticate PEAP users with ACS

Hi Amjad

Thank you for your replay.

Can you tell me excate location where I need to configure external certificates ?

Thank you,

Nilay

Unable to Authenticate PEAP users with ACS

What do you mean by external cert ?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Unable to Authenticate PEAP users with ACS

Yes, external certs

Also does cert become invalid if I change domain of ACS ?

Thank you,

Nilay

Unable to Authenticate PEAP users with ACS

Nilay:

Have you checked the link I put for you?

You need to install the certificate in:

System Administration >     Configuration >     Local Server Certificates >Local Certificates

I think you mean by "external" certificate "Non-Self signed certificate". right?

ACS name and domain name must match on the certificate. otherwise auth will not properly work.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Unable to Authenticate PEAP users with ACS

ACS name and domain name must match on the certificate. otherwise auth will not properly work.

I dont know that to be true. I have ACSs with certs that dont have the domain or acs name and in fact I have the same cert on 6 different radius servers. I don't have any issues.

The cert used for EAP is a simple cert and not tied to a web link or DNS redirect. The radius server simply presents the cert to the supplicant. Its used to build a TLS tunnel so that the user creditials can be passed.

However, if you wanted to  add additional security and vaildate the cert, the supplicant can be configured to check the domain of the cert, date, etc .. But this is not a requirement.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: Unable to Authenticate PEAP users with ACS

Thanks George.

I would say you are right.

When I replied my post all what I was thinking of is URl things. But you are right. Domain name has nothing to do with TLS.

We can say changing the domain name is valid for auth but not valid for the management? in other words you'll start to receive the https certificate error when you try to open ACS webpage if you changed the comain name. right?

I withdraw my first post.

sorry guys.

Amjad

Rating useful replies is more useful than saying "Thank you"

Re: Unable to Authenticate PEAP users with ACS

Correct, if you are trying to manage the box you would want a full url added to the cert.

But for EAP, not needed. Unless again, you want your supplicant to check against different attributes of the cert. Like I mentioned, if the cert is made with the domain name, radius server host name, date etc .. A supplicant (supplicant dependent) can validate the cert attributes.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: Unable to Authenticate PEAP users with ACS

BTW +5 ... Keep up the good work Amjad. CSC is here not only to help others, but also sharpens our own skills in the process.

Expect for Leo .. he just like to foam from the mouth from time to time! LOL

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: Unable to Authenticate PEAP users with ACS

Thank you George.

I am still Newbie and still learning? But I know some stuff from experience that I'd like to share.

I am more her however to learn especially from you, Leo and Stephen.

Thanks again for the rating and for correcting my wrong answer

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
New Member

Unable to Authenticate PEAP users with ACS

I am having the same issue with Cisco ACS 4.2 running on VMWare Windows Server 2003.

I have installed the Certificate that I received from a Public CA following the steps listed in the user guide to enable PEAP MS-CHAP2

The Certificate is being presented but the clients receive an untrusted CA alert error message. No Root or Chain show up in the path. Is there a different install for the Root and Chain Certificate?

Thank you,

Rob

Bronze

Unable to Authenticate PEAP users with ACS

Do you also have the CA on your Domain Controller?

Hall of Fame Super Silver

Re: Unable to Authenticate PEAP users with ACS

Rob,

Since you installed a 3rd party certificate, if you look in the certificate snap-in console in the radius server, look at the certificate and check if the private key is in the cert. you can tell by looking at the icon for the certificate. There should be a key icon on the top left of the certificate cert icon.

Also, are you validating the certificate on the clients? If so, you might be checking the wrong root CA, you can test if the cert is valid, by unchecking the validate server certificate on the client and see if the authentication passes or fails.

You can always install the intermediate and root on the server also.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Unable to Authenticate PEAP users with ACS

I figured out that I needed to install the Intermediate Certificate onto the Client's system because I am using PEAP MS-CHAP 2 according to the following information: https://supportforums.cisco.com/docs/DOC-1576

If I were to use PEAP TLS would I still need to install the Intermediate Certificates onto the Clients PC's, I have yet to find any real documentation regarding this issue.

Thank you,

Rob

1779
Views
5
Helpful
16
Replies
CreatePlease to create content