topic Re: handshake SSL !!! in Wireless

handshake SSL !!!

benjamin.heron — Sun, 04 Jul 2021 20:06:19 GMT

Hi,

I currently deploy a Wireless Unified Infrastructure based on Airespace Technology.

I provided a diagram in enclosure.

I want to use the eap-peap authentication, based on Windows Logon/Password.

My Wireless Client will use an Intel Wireless Adapter (Intel Pro/Wireless 2200BG) with Intel ProSet/Wireless Supplicant (v. 10.5.0.0).

I am going to use ACS Cisco Server to authenticate and authorize my clients.

I followed the documentation on ACS to use PEAP, but i have an issue in the log "Failed Attempts" :

--> "EAP-TLS or PEAP authentication failed during SSL handshake"

in the logs "CSAuth" :

--> EAP: PEAP: ProcessResponse: SSL handshake failed, status = 3 (SSL recv alert fatal:bad certificate)

Apparently, it's a certificate's problem.

However, I installed a certificate while using Generate Self-Signed Certificate on ACS, and I check it on "Certificate Trust List".

On the other hand, i don't now what CRL Distribution URL I must put on "Certificate Revocation List".

Could you help me, please ?

Thanks,

Ben

ps:sorry for my english, i am french

Re: handshake SSL !!!

pradeepde — Wed, 20 Sep 2006 13:37:01 GMT

One of the reasons might be does not have an "extKeyUsage" extension of "serverAuth" (OID = 1.3.6.1.5.5.7.3.1). This extension is considered a standard for SSL servers, and is quite likely the reason for the certificate being rejected by the client.If you use openssl manually, then you would create a file (let's call it "xpextensions") with the following contents,

[xpclient_ext], extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [xpserver_ext],extendedKeyUsage = 1.3.6.1.5.5.7.3.1 and you would include the following command-line arguments for openssl when creating the certificate:"-extensions xpserver_ext -extfile ./xpextensions"

Re: handshake SSL !!!

segopala — Sat, 30 Sep 2006 19:29:28 GMT

Hi ,

Just confirming do you have user cert on the laptop

can you get aa debgs/logs from ACS and controller

- Seema

Re: handshake SSL !!!

dsidley — Sun, 01 Oct 2006 14:19:21 GMT

Did you install the ACS certificate on the client ???

PEAP doesn't require client side certificates but the client must be able to "trust' the ACS server.

Re: handshake SSL !!!

jasjsingh — Wed, 04 Oct 2006 04:24:56 GMT

To check your setup , install self sign certificate on the ACS and uncheck the " Validate server certificate" option on your laptop ( under Windows Zero config ).

Re: handshake SSL !!!

robsimkins — Thu, 12 Oct 2006 07:44:50 GMT

Does anyone know how to get the user a certificate to trust the ACS? (So that the "Validate server certificate" can be checked)

TIA

Rob