EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake
Hi All ,
I am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of EAP_TLS under golbal authentication setup .
I have downloaded client supplicant certficate file for my windows XP machine .
When i tried to authenticated i am finding following error message under failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .
Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
Suggest me whether i need to enable all corresponding CA certficate undercertficate trust list , Kindly let me know were i am doing wrong on this ..
Hello,
I am NO expert on certificates but I have seen your error dozens of times from wireless clients on my Cisco ACS 4.2 Radius server.
Through trial and error I wrote up this procedure for our Helpdesk for installing certs in Windows XP and Windows 7. These steps haven't failed me yet and the Helpdesk doesn't bother me as much anymore so see if this helps you:
- Manually install the Global CA under BOTH Trusted Root Certification Authorities\Certificates AND Intermediate Certification Authorities\Certificates
- Manually install the Intermediate CA under JUST the Intermediate Certification Authorities\Certificates
- Delete the wireless network from the computer
- REBOOT!!
- Open the Microsoft Management Console, “mmc”.
- Go FILE\Add Remove SnapIn. Select Certificates ..
- If promoted, do it for “My User Account”.
- Make sure the certificates are where you put them.
- If you see any of these exact certificates out of place in either Trusted Root Certification Authorities\Certificates or Intermediate Certification Authorities\Certificates, remove them.
- Redo wireless network setup again
I hope this helps you.
Mike
Similar Messages
-
EAP-TLS or PEAP authentication failed during SSL handshake error
I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
Thanks for the helpMy experience suggests that the problem is the certificate.
I'm running ACS 3.3.
I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
Correctly following the instructions led to a successful connection and no more error message. -
EAP-TLS or PEAP authentication failed during SSL handshake
Hi Pros,
I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
When I check my log in the failed attemps, there is what I found:
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
06/23/2010
17:39:51
Authen failed
000e.9b6e.e834
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1101
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Networ
06/23/2010
17:39:50
Authen failed
[email protected]
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1098
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Network
[email protected] = my windows active directory name
1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
2. Why sometimes it just shows the MAC of the client for username?
3. Why it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
2. Secondly, When I check in pass authentications... there is what i saw
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
NAS-Port
NAS-IP-Address
Network Access Profile Name
Shared RAC
Downloadable ACL
System-Posture-Token
Application-Posture-Token
Reason
EAP Type
EAP Type Name
PEAP/EAP-FAST-Clear-Name
Access Device
Network Device Group
06/23/2010
17:30:49
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
06/23/2010
17:29:27
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did check ENABLE EAP-TLS machine authentication.
Thanks in advance for your help,
Crazy---Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
Let's brain storm together to figure out this guys.
Thanks in advance,
----Paul -
EAP-TLS & ACE Appliance "EAP-TLS or PEAP authentication failed"
Hello - I have a version 3.2 of the ACS appliance and I am trying to set up a successful test of EAP-TLS. I have a W2K server for a CA and I believe I have the certificate install properly. However, I get the "EAP-TLS or PEAP authentication failed during SSL handshake" error message in my failed attempts log. The troubleshooting document tells me to look at the CSAuth.log file but I can't seem to find in on the ACS Appliance.
Does anyone have any ideas how to troubleshoot this problem with the appliance?If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.
AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:
SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)If the ACS rejects the client's certificate because the certificate has expired, the expected error message in the CSAuth.log file is similar to the following.
AUTH 06/04/2005 15:02:08 E 0345 1692 EAP: ProcessResponse:
SSL handshake failed, status = 3 (SSL alert fatal:certificate expired)
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml -
EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve
We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
Thanks..Here are some configs you can try:
config advanced eap identity-request-timeout 120
config advanced eap identity-request-retries 20
config advanced eap request-timeout 120
config advanced eap request-retries 20
save config -
When attempting to burn an audio cd from my playlist, I get an error message that says, burn failed due to unknown error (4280). It has been working fine for months...any solutions?
I have the exact same problem.
Been searching through this site to try and find an answer but still not come up with anything.
The wierd thing is that a couple of days ago it was working fine, and suddenly overnight it's stopped working.
The only solution i've found is that you need to have administrator rights as it says in the posts on the site below:
http://www.emergingearth.com/itunes-7-cant-burn-cds/
Noticed by the diagnostic in your post that you dont have admin rights like me so that mite be the problem. Not sure if this is the right solution though.
Windows XP -
"Wireless association failed due to unknown reason"
I am running Vista home (manufacture installed on new laptop) and am trying to connect to internet through new router WRT150N. The network is created fine (my other laptop can access it) excellent signal etc, but I keep getting the message "Wireless association failed due to unknown reason". I have tried every different security setting including no security at all and still cannot connect. I am, however, able to connect to the router with a wired connection. I would prefer to not have to chuck this thing out the window but it is becoming increasingly likely.
Thanks for your help.hi there;
considering the scenario you've got on your network, that there are other wireless pc connecting to the router, then there is nothing wrong with the router itself. all the settings on it maybe correct. just to isolate the problem try to contact microsoft so as to clarify with them on securities and wireless settings of the vista laptop you've got there, so as you won't get frustrated thinking about your immediate problem.
i have a friend who uses the same brand and model # as yourself, and he does not have any issues with his win vista connecting to the router.
give microsoft a call, just to clarify things.
thanks. -
EAP TLS authentication failed during SSL handshake
We see this message, trying to set up EAP TLS. Anyone come across this ?
I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
Hope this helps. -
ISE 1.2 EAP-TLS and AD authentication
Hi,
I am sure I have had this working but Just cant get it to now.
So I have a Computer that has a Certificate on it with the SAN - princible name = to [email protected] This is an auo enroled Cert from my AD.
My Authentication profile says
IF the SSID (called-station) contianes eduroam and Princible name containes @mydomain.com then user a certification authentication profile. (see attachemnt below)
Then my authorization profile says
if active directoy group = "Domian computers" then allow access.
When my computer trys to join it passes the certificate test, but when it gets to the AD group is get the below.
24433 Looking up machine in Active Directory - [email protected]
24492 Machine authentication against Active Directory has failed
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
But I know my machine is in AD? What do i need to do to get the PC to use EAP-TLS to authenicate and AD group to authorize?
CheersThis accepts all requsts to one SSID and then as you can see if it is EAP TLS uses Cert store (see below), other wise AH
This jsut says if AD Group = /user/domainComputer allow full access (simple rule) -
Hello,
I'm trying to do machine and user authentication using EAP-TLS and digital certificates. Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
In ISE, I can define multiple Certificate Authentication Profiles (CAP). For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
Problem is how do you specify ISE to check both in the Authentication Policy? The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.
Any way to resolve this?
Thanks,
SteveYou need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
an example (uses user/pass though, but same concept)
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf -
EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP
Hello all,
I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
All of this appears to be successful the first time.
If we disassociate the machine, the problems start. The accounting STOP message is never sent.
Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
Thanks
GustavoAssuming you're using the stock XP wifi client.
When running XPSP3, you need to set two things:
1) force one registry setting.
According to
http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
You need to force usage of machine cert-store certificate:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"AuthMode"=dword:00000002
2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
- show available wireless networks
- change advanced settings
- wireless networks tab
- select your SSID, and then hit the "properties" button
- select authentication tab, and then hit "properties" button
- search for your signing CA, and check the box.
I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
please cross reference to
https://supportforums.cisco.com/message/3280232
for a better description of the whole setup.
Ivan -
802.1x eap-tls machine + user authentication (wired)
Hi everybody,
right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
<key>SetupModes</key>
<array>
<string>System</string>
<string>Loginwindow</string>
</array>
<key>PayloadScope</key>
<string>System</string>
but it does not work
2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
ThanksUnfortunatelly this documents do not describe how to do what I want.
I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
The certificates are in my System keychain.
Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
Any ideas ? -
Eap-tls wireless machine authentication without AD
Hi all,
I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN (before logon)
I can make the user get a cert from my CA, login as local & connect to WLAN through EAP-TLS without any problem.
With admin account I can get windows to put user's cert into the machine store (Machine Account Personal Certificate Store),
but when it comes to a login attempt the RADIUS UserName lookS like "host/username" instead of "username" as user authenticate.
My question is that do I need to configure an Identity Store (like AD) for machine authentication on ACS or I can make use of the configuration as for user previously (on ACS for user authentication, the Identity Store is Certificate Authentication Profile --> Certificate CN value)
Clients are WinXPSP3, and I'm using CiscoACS 5.2, MS Certificate Services CA, WLC 4402, LAP 1252
Note: in my case, each user will have their own laptop so it's best if the machine is authenticated under user's name.
Thanks for your help,Assuming you're using the stock XP wifi client.
When running XPSP3, you need to set two things:
1) force one registry setting.
According to
http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
You need to force usage of machine cert-store certificate:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"AuthMode"=dword:00000002
2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
- show available wireless networks
- change advanced settings
- wireless networks tab
- select your SSID, and then hit the "properties" button
- select authentication tab, and then hit "properties" button
- search for your signing CA, and check the box.
I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
please cross reference to
https://supportforums.cisco.com/message/3280232
for a better description of the whole setup.
Ivan -
EAP-TLS and PEAP/MSCHAPv2 on non-domain equipment
I'm not entirely sure this is the correct forum so I apologize. I'm merely having trouble finding the Network Policy Services forum. In short, I could use some answers to the following questions:
Is it possible to do EAP-TLS Machine authentication with non-domain machines? Would this require 8.1's "Workplace Join" scenario?
Can I do EAP-TLS User Authentication on non-domain machines?
Is it possible to use a different RADIUS realm name than the internal domain structure? Something easier for the users to type and remember? Can I do that with NPS configured in Proxy mode?Hi,
Based on my experience,
EAP-TLS is only available for members of a domain.
For non-domain member computers, the certificate must be manually imported into the certificate store or obtained by using the Web enrollment tool.
You can specify a realm name and user name syntax in the
Connection Manager profile so that the user only has to specify the user account name when typing their credentials during network connection attempts.
In addition, you can also deploy NPS as a
RADIUS proxy on your network.
More detailed information, please refer to the following links:
EAP
http://technet.microsoft.com/en-us/library/cc757996(v=WS.10).aspx
Certificates and NPS
http://technet.microsoft.com/en-us/library/cc772401(v=ws.10).aspx
Realm names
http://technet.microsoft.com/en-us/library/cc731342(v=WS.10).aspx
Planning NPS as a RADIUS proxy
http://technet.microsoft.com/en-us/library/dd197525(v=WS.10).aspx
Best regards,
Susie Long -
EAP-TLS Authentication failure happening in ACS for Wireless End User Authentication
Hi All,
We have the Win 3.2 ACS setup in the production environment, We are migrating it with 4.2 Appliance version. We have succesfully migrated the database and other stuffs from 3.2 to 4.2. Same way we have exported the certificates from 3.2 to 4.2 and installed it.
We have the leap as well as eap-tls in the authentication part.
We were able to test successfully with the leap. But when it comes to eap-tls. In 4.2 version its throwing the error.
5/3/2011
23:16:38
Authen failed
[email protected]
EAP-TLS users
0023.1413.de18
(Default)
EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake
21356
10.121.198.38
13
EAP-TLS
ap-1242b4
Bangalore APs
We have used the same certficate exported and installed in the 4.2 version. But its working in the existing 3.2 version and why it is not working with the 4.2 version.
Could anyone help me out in this?
Regards
KarthikHi,
Looks like the CA Cert is not installed on the ACS.
The following link will help you install the CA cert.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp327056
Also trust the CA certificate in the Edit trust list list.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
Maybe you are looking for
-
The mother of all cd rippings - which program and settings to use?
Hi, having collected more than 800 cd's within the family over the years we would like to rip them once-and-for-all on a dedicated computer. Since it's a lot of work it would be nice to get it right the first time... - Apple - Windows hardware? - doe
-
Can't complete a clean installation of WIN 7 PRO on an Acer Aspire 4738
Hello, If any one could help me with this problem i would really appreciate it. I have an Acer Aspire 4738-6888 (icore 5, 3GB RAM, 500GB HD), it was running win 7 ultimate 32 bits but started working erratically so i decided to perform a clean instal
-
BDC-How to get the value of the screen field
Hi All, I am facing a problem while writing the BDC code for the XK02 transaction. Recording: We have recorded like this :after giving the values in the initial screen(vendor no and purchase group and selecting the purchasing data check box) and ente
-
How to find global index in partition table
Hi guys , need one help How to find global index on partition table How to find local index on partition table Need query Thanks in advance Edited by: nav on Feb 17, 2012 6:51 AM
-
Iphoto for Mountain lion?
Hey guys, this macbook owner has ML on it and doesn't want to upgrade to Mavericks, the iphoto on his mac doesn't open anymore showing error: "iphoto cannot be opened becuase of a problem" we tried purchasing iphoto from Apple yesterday but it is sho