Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14142
Views
0
Helpful
4
Replies

Wireless clients fail SSL/TLS handshake and reject ACS 5.2 local certificate

Paul Abeln
Level 1
Level 1

‎08-30-2011 06:41 AM - edited ‎03-10-2019 06:21 PM

I have a problem where wireless clients at a remote site cannot successfully authenticate through their WLC to my ACS 5.2 (Linux on VM). I have three sites where this authentication is functioning properly; at my fourth site the wireless clients fail with a PEAP error: "12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate". My wireless clients are Win7 using WPA2-Enterprise security type with AES encryption. The authentication method is set to Microsoft PEAP (EAP-MSCHAP v2) and the 'Validate server certificate' is not checked. My wireless access rules on ACS 5.2 are working well at three sites. My ACS 5.2 has a self-signed certificate that doesn't expire until August 2012. A laptop that can successfully authenticate at other sites cannot authenticate at the fourth site.

Phase one of the PEAP process is where the client authenticates the server certificate and the TLS tunnel is created so that in phase two user authentication credentials are sent through the TLS tunnel using EAP. My clients do not seem to be able to create the TLS tunnel because they reject the ACS local certificate; thus, user credentials are never passed and authentication fails. I have renewed the ACS local certificate and rebooted the ACS server but the problem persists. My WLAN on the WLC has its security policy set to [WPA + WPA2][Auth(802.1X)]. WPA uses TKIP and WPA2 uses AES; Auth Key Mgmt is set to 802.1X. The remote site where authentication fails is a different domain; the other three sites are the same domain.

I can see the failed authentication attempts in my ACS "Monitoring and Reports | Reports | Catalog | AAA Protocol | RADIUS Authentication" report. They all fail with the same PEAP error: 12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate. The ACS local certificate works fine at three sites--just not at the fourth. Is my problem the certificate or is it an 802.1X client problem? What should I focus on to resolve this?

2 people had this problem
Labels:
0 Helpful
4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

‎08-31-2011 11:29 PM

Paul,

At the other sites are the ACS servers also configured with self signed certs? Have to tried to test this with a win xp client? You are on the right track and I dont know what could be causing this issue. One option to consider is to install the cert from the 4th ACS to the win 7 trusted store and see if this authenticates the user even without the validate server cert option checked.

Also the WLC at this 4th site, is it able to connect to the other ACS servers at the different site? If so, can we temporarily point it to one of the other radius server and see if the failures still occur?

Thanks,

Tarik

0 Helpful

Paul Abeln
Level 1
Level 1
In response to Tarik Admani

‎09-01-2011 05:42 AM

Tarik,

I have just one ACS server at the central site. The three remote sites each have their own WLC. Each of the WLC’s have successfully swapped shared secrets with the ACS server. I have not tried to authenticate using a WinXP laptop from the problematic fourth site. I will try to find an XP laptop and see what result I get.

You say I should try to install the cert to the Win7 trusted store. I can export the self-signed cert from my ACS, but I don’t see where in Win7 one would install such a cert. Can you tell me where to do this on a Win7 laptop?

Best regards,

Paul

0 Helpful

Paul Abeln
Level 1
Level 1
In response to Paul Abeln

‎05-28-2013 06:00 AM

Pavithra,

Yes, my problem was finally resolved, albeit in a different direction than expected. The resolution had to do with the case sensitivity of the SSID. At the three sites where wireless authentication worked I had control of the WLC. At the one site where wireless authentication did not work, I did not have control of the WLC. At this site the admin had the entire SSID in upper case, whereas I had just the first character of the SSID upper case. The wireless client's laptop had defined the wireless network correctly for all settings (WPA2 Enterprise with AES) except for the case of the SSID. The wireless client received the error message that it had declined the self-signed certificate. Apparently if you have all the wireless settings correct except for the case of the SSID itself, you will get this error message. I had the admin at the problem site edit his WLC definition of the WLAN to have just the first character of the SSID upper case. Subsequently, wireless access functioned properly.

0 Helpful

pavithra_sarma
Level 1
Level 1

‎05-27-2013 10:39 PM

Hi Paul,

did you get this fixed? I am having a same issue with a windows 7 laptop getting the ACS cert rejected message on ACS 5.3. works at one site and does not work at the other

0 Helpful
Customers Also Viewed These Support Documents