05-27-2008 10:06 AM - edited 07-03-2021 03:56 PM
Hi All,
Need help.
I've installed ACS SE 4.1 for the PEAP authentication with Microsoft AD, but it failed with the following message in the ACS....EAP-TLS or PEAP authentication failed during SSL handshake
The client is not using any certs.
Thanks in advance.
05-27-2008 05:38 PM
The reason you are getting this is either the certificate is not installed correctly on the ACS or you have validate server certificate on the client side, preventing the certificate to be used. Try to uncheck that in the client side.
05-27-2008 05:56 PM
the client side is unchecked for the certificate, and i've reinstall the cert on the ACS server, but still getting the same error message.
any other clue?
05-27-2008 06:02 PM
What type of cert are you using? Also verify that it is installed in the computer account personal certificate store. It is definitely a certificate issue.
05-27-2008 06:04 PM
If you are using MS CA then take a look at this doc:
Instead of using Web Server, I choose User.
05-27-2008 06:06 PM
there is an option of not using certs for peap, right? i do not want to use the cert for the authentication, but the cert is installed (generated) in the ACS. client side is disabled for getting the certs from the ACS..
hope this will clear your doubt..
05-27-2008 06:09 PM
PEAP like any EAP type, needs a certificate installed. I have tried to generate a certificate from ACS, but never got that to work. I got the same SSL error you got. Users have to obtain that cert form the ACS in order to continue with the authentication process.
05-30-2008 03:16 AM
The easiest thing to so is to obtain a cert for the ACS SE from an online CA. The one I always recommend is www.rapidssl.com as they are reasonably cheap and the whole order process takes about half an hour to work through. If you generate the CSR on the ACS, obtain your cert and install it you can leave the check boxes checked on your clients as the Rapidssl root cert is built into Windows/IE.
The only thing to be careful of is that before you generate the CSR, remove the existing self-signed cert from the ACS SE. Failure to do so can sometimes lead to problems.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide