cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1697
Views
5
Helpful
7
Replies

WLAN Authentication with ACS 5.4 - Certificate Issue

petenixon
Level 3
Level 3

Hi guys,

I've been having problems with a local certificate on my ACS for authenticating wireless clients. The error I get when testing authentication is:

12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ACS local-certificate

I have done the following steps to create my certificate:

Downloaded CA Certificate for my certificate authority
Generated a signing request and then bind CA signed certificate (also added to client) and trust this certificate for EAP-TLS.

When using a self-signed certificate on the ACS, authentication works perfectly.

Has anyone come across this error before or any ideas on how to resolve it?

Thanks.

 

1 Accepted Solution

Accepted Solutions

Sandeep Choudhary
VIP Alumni
VIP Alumni

Hi, If you have followed the right procedure for certificates then further try this:

Error shows towards client, Check the EAP settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ACS certificate, or you can disable this option for testing. You can try to remove this wireless network profile, and recreate it and see if the pop up appears which asks you to validate the server's identity.

 

Regards

Dont forget to rate helpful posts

View solution in original post

7 Replies 7

Sandeep Choudhary
VIP Alumni
VIP Alumni

Hi, If you have followed the right procedure for certificates then further try this:

Error shows towards client, Check the EAP settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ACS certificate, or you can disable this option for testing. You can try to remove this wireless network profile, and recreate it and see if the pop up appears which asks you to validate the server's identity.

 

Regards

Dont forget to rate helpful posts

Thanks for the reply Sandeep. I have tried disabling the validate server certificate option in the client supplicant, but as I am using EAP-FAST, the returned authentication error is:

12177 No cipher for PAC-less EAP-FAST authentication. (which is even less helpful!!).

The exact procedure I have followed for the certificate creation is below (if helpful):

 

Download CA Certificate
Base64
Download CA Certificate

ACS CA:
Add certificate
Trust for EAP-TLS
Description: Root CA

Generate Signing Request:
System Admin --> Local Certificates --> Add
Generate signing reuqest
Cert Subject: CN=ACS-INSTANCE-DOMAIN-NAME
1024
SHA1

Export Outstanding Signing Request
Copy CSR
Request certificate from certsrv
Advanced
Submit a cert
Paste
Template:
Base 64
Download cert

 

Thanks again.

 

Check these two things   :

1. I dont know if encoding method: Base 64 is correct or not(I have ISE and I am using DER format).

2. Certificate template should be webserver

3. Also try to change the key length and SHA version.

 

Regards

I'll give those a try. Thanks for your help Sandeep.

Thanks again Sandeep, the disabling of the server validation helped me track down the problem, which turned out to be an issue with our root CA. This has since been resolved and the certificates are now working.

What was the issue with root CA and how did it get resolved? I am seeing similar issue with PEAP and getting same error.
 

Hi.

It turns out that the certificate creation was not correct. I re-created the certificates and this resolved the problem.

Please let me know if you need further help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: