Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1941
Views
0
Helpful
3
Replies

ACS 5.5 Radius Authentication Failure with WLC 5508 and AD 2012

Go to solution
Bernard Lara
Level 1
Level 1

‎05-27-2015 08:25 AM - edited ‎03-10-2019 10:45 PM

Hi,

 

I need help on these errors.

 

Here is my setup: WLC 5508 7.6.130.0 -> ACS 5.5.0.46 -> AD 2012

 

I am getting (2) errors in ACS 5.5

 

12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

22044 Identity policy result is configured for certificate based authentication methods but received password based

 

Already installed the CA cert and local cert in ACS and also in client PC.

 

Please see screenshots

 

 

Labels:
Preview file
19 KB
Preview file
59 KB
Preview file
24 KB
Preview file
47 KB
Preview file
145 KB
Preview file
71 KB
Preview file
34 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Bernard Lara

‎05-29-2015 09:27 AM

Ok, in this case:

1. You will need to configure the Windows supplicant properly before this can work. You will need to define the type of authentication and the CA certificate to be trusted. If the CA certificate is not available in the list of Certificates then you will need to import it

2. If you are doing PEAP then your Identity Store should be Active Directory and not Certificate Authentication Profile. The Certificate Authentication Profile is used for certificate based (EAP-TLS) authentications. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎05-27-2015 02:51 PM

Can you attach some screen shots of the supplicant configurations? It looks like you have two issues:

1. Your supplicant is attempting to perform password based (most likely PEAP) based authentication while your Radius server is set to perform Certificate (EAP-TLS) based authentication

2. The authenticating client is not trusting the root CA that issued/signed the Radius certificate

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

Go to solution
Bernard Lara
Level 1
Level 1
In response to nspasov

‎05-27-2015 10:58 PM

Hi Neno,

 

I have not created any wireless profile, so from Windows 7 it is authenticating with PEAP-MSCHAPv2

 

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Bernard Lara

‎05-29-2015 09:27 AM

Ok, in this case:

1. You will need to configure the Windows supplicant properly before this can work. You will need to define the type of authentication and the CA certificate to be trusted. If the CA certificate is not available in the list of Certificates then you will need to import it

2. If you are doing PEAP then your Identity Store should be Active Directory and not Certificate Authentication Profile. The Certificate Authentication Profile is used for certificate based (EAP-TLS) authentications. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents