10-24-2011 10:27 PM - edited 03-10-2019 06:30 PM
Appologies for long post
We had a working ACS 5.2 EAP-TLS set up, with installed ACS server cert and CA chain - this worked ok for over a year no problem, auth'ing network access for WiFi clients
Then: -
To remedy we: -
Problem: -
Since the above the WiFi clients have not been able to get network access using EAP-TLS
The ACS failure is
Failure Reason : | 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain |
and debug shows
OpenSSLErrorMessage=SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error unable to get issuer certificate locally"
OpenSSLErrorStack= 3059174304:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2664:
Have double checked the certs on the ACS and all looks ok - as before but with date valid certs
Have double checked the cert chain on the ACS (under ACS cert authorities) and looks ok, it shows the two cert step to the root CA all with valid dates, which has following structure
CA
----- Intermediate CA
----- ACS local 'server' cert
----- WiFi client certs
Questions: -
Is there an ACS debug that will actually show me the CA that is assocaited with the cert recieved from the EAP--TLS client ?
i.e. I want to see what CA the ACS is trying to locate and having issues with, to see if problem is client side or ACS side
Failing that any debug which can give me something more to go on ?
- debug radius and EAP on the ACS only yields the above failue info
Is there some gotcha with this scenario ?
i.e. replacing expired certs on ACS 5.2
Thanks
10-25-2011 11:26 PM
Hello,
I suggest you to collect a sniffer trace for the EAP-TLS hanshake in order to see what certificate is sent by client (the best way is to do it on the client machine, then the very first packets sent on the network are EAP-TLS).
Thanks,
Sergey Emantayev
12-20-2011 10:37 PM
How did you get to that debug file, or run that debug program? I was only able to get the debug files from the support bundle page and didn't find where the OpenSSL debugs were in any of the extractions.
01-03-2012 08:55 AM
You can see the failed authentication details (including SSL alert) in M&R: open 'Monitoring and Reporting', then go to Reports > Catalog > AAA protocol > RADIUS authentication.
04-22-2014 12:48 PM
Hi sez.sharp!
I want to know if you had a chance to figure out what was causing the issue, have you fix it? I am currently passing at same issue...
Thanks in advance!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide