Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
0
Helpful
3
Replies

Certificate Unknown during TLS handshake

nathan-loisel
Level 1
Level 1

‎10-30-2024 12:56 AM

Hello everyone,

I'm setting up a RADSEC connection between our Cisco Catalyst 9800 WLC and a RadiusAAS service, but I'm hitting a "Certificate Unknown (46)" error during the handshake:

Untitled 4.png

On the Cisco side, the only error I’m seeing is: “RADSEC server identity check failed with server XXX.”

For certificate management, I’m using XCA to create a self-signed CA and generate individual certificates for each endpoint:

Untitled 5.png

RadiusAAS: I verified that the correct certificate is being sent by exporting it from a packet capture; it includes both the CA and the server certificate:

Untitled 6.png

Cisco WLC: I created a Trustpoint, authenticated it with the CA certificate, then generated a CSR that I signed with this CA. I imported the signed certificate back into the WLC (this is the radsec-vm cert shown in the XCA screenshot). Here are my Radius and Trustpoint configurations:

Untitled 1.png

And finally, here are the certificates associated with my trustpoint:

Untitled 7.png

I've assigned both endpoint certificates the Client and Server Authentication EKUs.

Do you have any idea what could be wrong with my setup ?

Labels:
0 Helpful
3 Replies 3

Flavio Miranda
VIP
VIP

‎10-30-2024 02:04 AM

@nathan-loisel 

"Cisco WLC: I created a Trustpoint, authenticated it with the CA certificate, then generated a CSR that I signed with this CA. I imported the signed certificate back into the WLC (this is the radsec-vm cert shown in the XCA screenshot). Here are my Radius and Trustpoint configurations:"

  You did not explicity mention, did you also imported the certificate into the radius server? The one you created from the WLC CSR?

 

 

 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎10-30-2024 12:06 PM

Hi,

     Sometimes, the error messages are not really intuitive; can you set "revocation-check none" under Trustpoint and test again?

Best,

Cristian.

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-31-2024 07:51 AM

From the error message it seems that the WLC is not trusting the RADIUS server certificate. I agree with @Cristian Matei, probably the issue here is that the WLC is not able to check the validity of the presented certificate by the RADIUS server through CRL and this is why is returning the unknown certificate error.

0 Helpful
Customers Also Viewed These Support Documents