ACS 5.2 - EAP-TLS fail with 'unknown CA in chain' after cert update post cert expirey

sez sharp · ‎10-24-2011

Appologies for long post

We had a working ACS 5.2 EAP-TLS set up, with installed ACS server cert and CA chain - this worked ok for over a year no problem, auth'ing network access for WiFi clients

Then: -

The 'server' cert on ACS (signed by intermediate CA) expired
Intermediate CA cert expired

To remedy we: -

On ACS deleted both the local 'server' cert and the intermediate CA cert (under ACS cert authorities)

On the (MS) Intermediate CA, a new valid cert was installed from the Root CA

Exported new valid Intermediate CA cert which was then loaded on ACS under ACS cert authorities - ACS displayed details for cert and looks correct (i.e. reflects chain, the new expiry date and "Trust for client with EAP-TLS" is checked)

Used ACS CSR to generate a signing request, then used CSR on Intermediate CA - resulting signed DER server cert obtained ok

Used ACS bind (to the outstanding ACS CSR) for the new DER server cert - selected managment and EAP functions for this cert. ACS restarted.

Looking at the ACS https managment cert details from browser, all looks normal now and chain dispalyed as expected

The WiFi clients using EAP-TLS have had new machine certs issued and installed from the Intermediate CA (post its cert being updated)

Problem: -

Since the above the WiFi clients have not been able to get network access using EAP-TLS

The ACS failure is

Failure Reason :

12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

and debug shows

OpenSSLErrorMessage=SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error unable to get issuer certificate locally"

OpenSSLErrorStack= 3059174304:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2664:

Have double checked the certs on the ACS and all looks ok - as before but with date valid certs

Have double checked the cert chain on the ACS (under ACS cert authorities) and looks ok, it shows the two cert step to the root CA all with valid dates, which has following structure

CA

----- Intermediate CA

----- ACS local 'server' cert

----- WiFi client certs

Questions: -

Is there an ACS debug that will actually show me the CA that is assocaited with the cert recieved from the EAP--TLS client ?

i.e. I want to see what CA the ACS is trying to locate and having issues with, to see if problem is client side or ACS side

Failing that any debug which can give me something more to go on ?

- debug radius and EAP on the ACS only yields the above failue info

Is there some gotcha with this scenario ?

i.e. replacing expired certs on ACS 5.2

Thanks

Sergey Emantayev · ‎10-25-2011

Hello,

I suggest you to collect a sniffer trace for the EAP-TLS hanshake in order to see what certificate is sent by client (the best way is to do it on the client machine, then the very first packets sent on the network are EAP-TLS).

Thanks,

Sergey Emantayev

jerome.ibanez · ‎12-20-2011

How did you get to that debug file, or run that debug program? I was only able to get the debug files from the support bundle page and didn't find where the OpenSSL debugs were in any of the extractions.

Sergey Emantayev · ‎01-03-2012

You can see the failed authentication details (including SSL alert) in M&R: open 'Monitoring and Reporting', then go to Reports > Catalog > AAA protocol > RADIUS authentication.

Alexsandro Reimann · ‎04-22-2014

Hi sez.sharp!

I want to know if you had a chance to figure out what was causing the issue, have you fix it? I am currently passing at same issue...

Thanks in advance!