This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Appologies for long post
We had a working ACS 5.2 EAP-TLS set up, with installed ACS server cert and CA chain - this worked ok for over a year no problem, auth'ing network access for WiFi clients
To remedy we: -
Since the above the WiFi clients have not been able to get network access using EAP-TLS
The ACS failure is
Failure Reason :
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain
and debug shows
OpenSSLErrorMessage=SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error unable to get issuer certificate locally"
OpenSSLErrorStack= 3059174304:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2664:
Have double checked the certs on the ACS and all looks ok - as before but with date valid certs
Have double checked the cert chain on the ACS (under ACS cert authorities) and looks ok, it shows the two cert step to the root CA all with valid dates, which has following structure
----- Intermediate CA
----- ACS local 'server' cert
----- WiFi client certs
Is there an ACS debug that will actually show me the CA that is assocaited with the cert recieved from the EAP--TLS client ?
i.e. I want to see what CA the ACS is trying to locate and having issues with, to see if problem is client side or ACS side
Failing that any debug which can give me something more to go on ?
- debug radius and EAP on the ACS only yields the above failue info
Is there some gotcha with this scenario ?
i.e. replacing expired certs on ACS 5.2
I suggest you to collect a sniffer trace for the EAP-TLS hanshake in order to see what certificate is sent by client (the best way is to do it on the client machine, then the very first packets sent on the network are EAP-TLS).
How did you get to that debug file, or run that debug program? I was only able to get the debug files from the support bundle page and didn't find where the OpenSSL debugs were in any of the extractions.
You can see the failed authentication details (including SSL alert) in M&R: open 'Monitoring and Reporting', then go to Reports > Catalog > AAA protocol > RADIUS authentication.
I want to know if you had a chance to figure out what was causing the issue, have you fix it? I am currently passing at same issue...
Thanks in advance!