https://community.cisco.com/t5/wireless/certificate-problem-with-eap-tls-peap-authentication/m-p/399294#M11278 <P>Hello,</P><P></P><P>I am having an issue getting EAP-TLS/PEAP (EAP-GTC) authentication to work. I am using a MS Server 2003, Standard Ed. server for my CA and a separate MS Server 2003, SE for my ACS server. I have completed all configuration steps outlined by Cisco and MS, but the server-side certificate doesn't seem to be right.</P><P></P><P>When I go to the CA's web site from my ACS box, I select Request Certificate -&gt; Advanced Certificate Request -&gt; Create and submit a request to this CA.</P><P></P><P>Under Certificate Template, I select Web Server. Once I do this, the 'Mark keys as exportable' option box is greyed out, which prevents me assigning the private key to the certificate. If I continue, generate, and install the certificate as is, the statement 'You have a private key that corresponds to this certificate' does not appear in the General section of the certificate properties. The client-side certificate installs with all prerequisites met, including the above statement.</P><P></P><P>I try to authenticate with the client and receive the familiar 'EAP-TLS or PEAP authentication failed during SSL handshake' error, which tells me I still have a certificate problem.</P><P></P><P>I appreciate any assistance with this matter.</P> Sun, 04 Jul 2021 17:38:49 GMT depwanguy 2021-07-04T17:38:49Z https://community.cisco.com/t5/wireless/certificate-problem-with-eap-tls-peap-authentication/m-p/399294#M11278 <P>Hello,</P><P></P><P>I am having an issue getting EAP-TLS/PEAP (EAP-GTC) authentication to work. I am using a MS Server 2003, Standard Ed. server for my CA and a separate MS Server 2003, SE for my ACS server. I have completed all configuration steps outlined by Cisco and MS, but the server-side certificate doesn't seem to be right.</P><P></P><P>When I go to the CA's web site from my ACS box, I select Request Certificate -&gt; Advanced Certificate Request -&gt; Create and submit a request to this CA.</P><P></P><P>Under Certificate Template, I select Web Server. Once I do this, the 'Mark keys as exportable' option box is greyed out, which prevents me assigning the private key to the certificate. If I continue, generate, and install the certificate as is, the statement 'You have a private key that corresponds to this certificate' does not appear in the General section of the certificate properties. The client-side certificate installs with all prerequisites met, including the above statement.</P><P></P><P>I try to authenticate with the client and receive the familiar 'EAP-TLS or PEAP authentication failed during SSL handshake' error, which tells me I still have a certificate problem.</P><P></P><P>I appreciate any assistance with this matter.</P> Sun, 04 Jul 2021 17:38:49 GMT https://community.cisco.com/t5/wireless/certificate-problem-with-eap-tls-peap-authentication/m-p/399294#M11278 depwanguy 2021-07-04T17:38:49Z https://community.cisco.com/t5/wireless/certificate-problem-with-eap-tls-peap-authentication/m-p/399295#M11279 <HTML><HEAD></HEAD><BODY><P>Microsoft has changed the Web Server template with the release of the Windows 2003 Enterprise CA so that keys are no longer exportable and the option will be greyed out.</P><P></P><P>We will have to create a new template that does so. Here are the steps:</P><P>1. Start &gt; Run &gt; certmpl.msc</P><P>2. Right-click Web Server template and choose Duplicate Template</P><P>3. Name the template something easy to identify like ACS.</P><P>4. Go to the Request Handling tab and check Allow private key to be exported.</P><P>5. Click on the CSPs button and check Microsoft Base Cryptographic Provider v1.0 and</P><P>click OK.</P><P>6. All other options can be left at default.</P><P>7. Click Apply and OK.</P><P>8. Open the CA MMC snap-in.</P><P>9. Right-click Certificate Templates and choose New &gt; Certificate Template to Issue.</P><P>10. Choose the new template you created and click OK.</P><P>11. Restart the CA.</P><P>The new template will be included in the Certificate Template dropdown.</P><P></P></BODY></HTML> Mon, 11 Apr 2005 17:52:49 GMT https://community.cisco.com/t5/wireless/certificate-problem-with-eap-tls-peap-authentication/m-p/399295#M11279 mchin345 2005-04-11T17:52:49Z https://community.cisco.com/t5/wireless/certificate-problem-with-eap-tls-peap-authentication/m-p/399296#M11280 <HTML><HEAD></HEAD><BODY><P>Mary,</P><P></P><P>Thanks so much for the info. I made the modifications, but now I get an error which I have attached. Is there something else I need to do? Again, thank you!</P><P></P><P>Brian</P><P></P><P> </P><P></P></BODY></HTML> Tue, 12 Apr 2005 12:22:19 GMT https://community.cisco.com/t5/wireless/certificate-problem-with-eap-tls-peap-authentication/m-p/399296#M11280 depwanguy 2005-04-12T12:22:19Z https://community.cisco.com/t5/wireless/certificate-problem-with-eap-tls-peap-authentication/m-p/399297#M11281 <HTML><HEAD></HEAD><BODY><P>Are you using Win2K as your AD Domain controller? If so the setup you have will not work. You'll have to load the CA server on a Win2K Server to make it work.</P></BODY></HTML> Tue, 14 Jun 2005 15:45:31 GMT https://community.cisco.com/t5/wireless/certificate-problem-with-eap-tls-peap-authentication/m-p/399297#M11281 coxendine 2005-06-14T15:45:31Z