Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLAN Authentication with ACS 5.4 - Certificate Issue

Hi guys,

I've been having problems with a local certificate on my ACS for authenticating wireless clients. The error I get when testing authentication is:

12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ACS local-certificate

I have done the following steps to create my certificate:

Downloaded CA Certificate for my certificate authority
Generated a signing request and then bind CA signed certificate (also added to client) and trust this certificate for EAP-TLS.

When using a self-signed certificate on the ACS, authentication works perfectly.

Has anyone come across this error before or any ideas on how to resolve it?

Thanks.

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Hi, If you have followed the

Hi, If you have followed the right procedure for certificates then further try this:

Error shows towards client, Check the EAP settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ACS certificate, or you can disable this option for testing. You can try to remove this wireless network profile, and recreate it and see if the pop up appears which asks you to validate the server's identity.

 

Regards

Dont forget to rate helpful posts

7 REPLIES
VIP Purple

Hi, If you have followed the

Hi, If you have followed the right procedure for certificates then further try this:

Error shows towards client, Check the EAP settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ACS certificate, or you can disable this option for testing. You can try to remove this wireless network profile, and recreate it and see if the pop up appears which asks you to validate the server's identity.

 

Regards

Dont forget to rate helpful posts

New Member

Thanks for the reply Sandeep.

Thanks for the reply Sandeep. I have tried disabling the validate server certificate option in the client supplicant, but as I am using EAP-FAST, the returned authentication error is:

12177 No cipher for PAC-less EAP-FAST authentication. (which is even less helpful!!).

The exact procedure I have followed for the certificate creation is below (if helpful):

 

Download CA Certificate
Base64
Download CA Certificate

ACS CA:
Add certificate
Trust for EAP-TLS
Description: Root CA

Generate Signing Request:
System Admin --> Local Certificates --> Add
Generate signing reuqest
Cert Subject: CN=ACS-INSTANCE-DOMAIN-NAME
1024
SHA1

Export Outstanding Signing Request
Copy CSR
Request certificate from certsrv
Advanced
Submit a cert
Paste
Template:
Base 64
Download cert

 

Thanks again.

 

VIP Purple

Check these two things   :1.

Check these two things   :

1. I dont know if encoding method: Base 64 is correct or not(I have ISE and I am using DER format).

2. Certificate template should be webserver

3. Also try to change the key length and SHA version.

 

Regards

New Member

I'll give those a try. Thanks

I'll give those a try. Thanks for your help Sandeep.

New Member

Thanks again Sandeep, the

Thanks again Sandeep, the disabling of the server validation helped me track down the problem, which turned out to be an issue with our root CA. This has since been resolved and the certificates are now working.

New Member

What was the issue with root

What was the issue with root CA and how did it get resolved? I am seeing similar issue with PEAP and getting same error.
 

New Member

Hi.It turns out that the

Hi.

It turns out that the certificate creation was not correct. I re-created the certificates and this resolved the problem.

Please let me know if you need further help.

1003
Views
5
Helpful
7
Replies
CreatePlease to create content