cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3914
Views
0
Helpful
7
Replies

WLC to ACS v5 to AD - PEAP Handshake Failed

cisco_admin1
Level 3
Level 3

Hi

I have a Cisco WLC talking to a ACS 4400 version 5.1 which in turn talks to Active Directory.

Ive been trying to get 802.1x for wireless clients going, I have a cert on the ACS from verisign on the box but when users try to sign in they get 12309 PEAP handshake failed in the ACS RADIUS log.

The cert was exported and placed directly on the testing laptop and at one point it all worked.  I stepped away from it for 2 weeks to get a new internal CA built on a windows box, now coming back to it with the intent of issuing new certs to the ACS from the internal CA and thought I would check it to make sure all was good, but its not.

Google doesn’t return happy results for “12309 PEAP handshake failed”, I opened a TAC case on it and they took my cert to their lab.  Haven’t heard back.  I was wondering if the netpro community had any ideas.

e-

3 Accepted Solutions

Accepted Solutions

jedubois
Cisco Employee
Cisco Employee

Eric,

     Clients need to verify that they trust the certificate installed on ACS.  Make sure you install

     the CA certificate from your internal CA onto your laptop.  A good way to tell if this is the issue

     is to uncheck the "verify server certificate" checkbox on your client and see if it still fails.

--Jesse

View solution in original post

jedubois
Cisco Employee
Cisco Employee

Are you authenticating a user or a machine when this error is seen?

--Jesse

View solution in original post

jedubois
Cisco Employee
Cisco Employee

Eric,

     Try to authenticate to an internal ACS user and see if you have the same problem.

     If that works then you at least have it narrowed down to ACS/AD communication and

     can concentrate on that in the TAC case.  Unfortunatly I have not seen the exact error

     you are running into.

--Jesse

View solution in original post

7 Replies 7

jedubois
Cisco Employee
Cisco Employee

Eric,

     Clients need to verify that they trust the certificate installed on ACS.  Make sure you install

     the CA certificate from your internal CA onto your laptop.  A good way to tell if this is the issue

     is to uncheck the "verify server certificate" checkbox on your client and see if it still fails.

--Jesse

Not applicable

Yeah thats what I thought, and thats what TAC said too.

We removed "verify" on the suplication, and tested for the cert from the internal CA and one from Verisign.  Both reside on the laptop.  In both cases a 12309 PEAP handshake failed error shows up in the radius log.

I'm lost as to the cause.

e-

jedubois
Cisco Employee
Cisco Employee

Are you authenticating a user or a machine when this error is seen?

--Jesse

Not applicable

It should be user.

The WLC defers to ACS for a user based on AD securty group membership, and the suplicant(when the option is cleared) asks for a user name and password.

jedubois
Cisco Employee
Cisco Employee

Eric,

     Try to authenticate to an internal ACS user and see if you have the same problem.

     If that works then you at least have it narrowed down to ACS/AD communication and

     can concentrate on that in the TAC case.  Unfortunatly I have not seen the exact error

     you are running into.

--Jesse

Any progress on this one?  I am getting a similar error, but between my controllers and Cisco ISE (still using Raidus).

Jaaazman777
Level 1
Level 1

Hello!

we have similar problem.

WLC uses ACS as a RADIUS server to authenticate AD users with PEAP/MSCHAPv2.

ACS certificate is issued by GeoTrust certificate.

After GeoTrust reissued CRL, wifi users stopped being authenticated with an error "12309 PEAP handshake failed" on the ACS.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: