Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


PEAP authentication fails


PEAP authentication fails with the error "EAP-TLS or PEAP authentication failed during SSL handshake".

In our wireless setup we have configured a SSID for WPA/WPA2 authentication with dot1x.

We are using ACS4.2 with Active directory for user and certificate authentication.

I have done the following configuration:

In ACS4.2 (on Windows2000 server):

1. Copied the following files to the \Certs directory:

•server.cer (server certificate)

•server.pvk (server certificate private key)

•ca.cer (CA certificate)

2. I have imported ca.cer by double clicking in " In local Computer under Trusted Root Certification Authority".

3. Also I have installed Server.cer under System Configuration->ACS Certificate Setup ->Install ACS Certificate.

By using option "Read certificate from file"

4. I have installed ca.cer under System Configuration > ACS Certificate Setup > ACS Certification Authority Setup

5.I have selected "ca" in System Configuration > ACS Certificate Setup > Edit Certificate Trust List

6. On Windows XP SP2 I have installed server.cer In local Computer under Trusted Root Certification Authority".

Note: server.cer -> Is supporting both server authentication and Client authentication

But I am not able able to connect to wireless and I can see "PEAP authentication fails with the error "EAP-TLS or PEAP authentication failed during SSL handshake" error in ACS log.

Please help.

Cisco Employee

Re: PEAP authentication fails

Hi Vivekanand,

Looks like we are using PEAP with MSchapv2.

Could you please provide me the file from the ACS? In order to create this

* Set the logging level under System Config => Service Control => logging level = FULL.

* Now try again and reproduce the error message in the failed attempt.

* Log onto the ACS server itself as the local administrator.

* Browse to the BIN directory in the ACS program directory.

* Run the program there called CSSupport and Click NEXT.

* Only do these steps if we need more than today's logs:

-- Put a check in both "Previous Logs" checkbox.

-- Select the number of days to go back.

- Click Next two times.

- When the Finish button appears, click it.

Now attach this file in your next post.

# Also, please verify the setting as per the doc once again.

PEAP via ACS is here




-Plz rate helpful posts-

~Jatin Katyal

Re: PEAP authentication fails

Thanks for your support


Re: PEAP authentication fails

You need to obtain a client side certificate (machine and/or user.

1. machine cert you could obtain automatically if your machine first time log on to AD domain. There must be Auto Enrollment for Computer turned on in rules for domain.

2. user cert you could obtain through CA web server interface or through MMC console in Local User Personal Certificates.

It's look you have not successfully configure Windows XP supplicant side.

Re: PEAP authentication fails


Thanks for your support.


Re: PEAP authentication fails

Was it somewhat helpful?

Re: PEAP authentication fails

Hi Filip,

As in our setup we do not have CA server.

We have purchased the digital certificate from third party CA.

So we have decided to implement PEAP without validating server certificate on client machine.

We have installed certificate on ACS server and have selected PEAP in global authentication.On client configured PEAP, and have not selected validate server certificate option,authentication works fine.

Re: PEAP authentication fails

Problem is resolved now,no need to post further replies.

Thanks for the support