11-11-2010 05:11 PM - edited 03-10-2019 05:34 PM
I have ACS 4.2 124.12 cumulative patches installed. I have enable EAP-FAST in ACS. The CA is selected in the trusted list. When I try to authenticate with the ACS I get a rejection. Wireshark shows in the challenge that this is a 'unsupported Certificate'.
In the AUTH.log I get the following where the failure occurs:
AUTH 11/04/2010 12:01:44 I 0000 46564 0x95 CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client certificate B
AUTH 11/04/2010 12:01:44 I 2009 46564 0x95 EAP: EAP-FAST: Handshake failed
AUTH 11/04/2010 12:01:44 E 2255 46564 0x95 EAP: EAP-FAST: ProcessResponse: SSL send alert fatal:unsupported certificate
AUTH 11/04/2010 12:01:44 E 2258 46564 0x95 EAP: EAP-FAST: ProcessResponse: SSL ext error reason: b2 (Ext error code = 0)
AUTH 11/04/2010 12:01:44 E 2297 46564 0x95 EAP: EAP-FAST: ProcessResponse(1519): mapped SSL error code (3) to -2120
The certificate template is IPSec (Offline request) (IPSECIntermediateOffline). Is there some configuration that I am not aware of?
Andy
11-11-2010 05:25 PM
As it reporting error on client certifcate, Check the client cert, client cert must
have the following: EKU = Client Authentication, KU = Digital signature,
Key Encipherment and Data encipherment.
11-11-2010 05:47 PM
This is from the certificate:
EKU = IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
KU = Digital Signature, Key Encipherment (a0)
Do you know how to ensure that the EKU is Client Authentication and KU is Digital signature,
Key Encipherment and Data encipherment. I don't see in the software that is generating the certReq anything about specifying the type of certificate that is needed.
Do you know how the Windows Server 2003 CA determines what certificate template to use when returning a certificate?
11-11-2010 06:30 PM
Check the
EKU : http://tinyurl.com/2dakmaw
KU = http://tinyurl.com/2aqjecq
On the below URL refer to the
04-11-2011 07:16 AM
Hi Anthony,
did you find any solution for this issue? As I am now in exatly the same situation.
Thank you
Pavel
04-13-2011 09:35 AM
Pavel,
After working with Albert Sun and Igal Katz we found that IOS does not support EKU - extended Key Usage where types of certificate can be specified. So in the cert request, we won't specify any EKU. For EKU aware CA, like ACS or MS CA, it considers it as IPSEC certificate request.
There is an enhancement by the PKI team to add support for EKU (Enhanced Key Usage). Not sure of the official enhancement name (EKU for IOS). This enhancement has to be implemented before we can externally authenticate LSC certificates.
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide