cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
350
Views
0
Helpful
7
Replies
Highlighted
Beginner

ACS SE 4.1 + AD + PEAP

Hi All,

Need help.

I've installed ACS SE 4.1 for the PEAP authentication with Microsoft AD, but it failed with the following message in the ACS....EAP-TLS or PEAP authentication failed during SSL handshake

The client is not using any certs.

Thanks in advance.

7 REPLIES 7
Highlighted
Hall of Fame Master

The reason you are getting this is either the certificate is not installed correctly on the ACS or you have validate server certificate on the client side, preventing the certificate to be used. Try to uncheck that in the client side.

-Scott
*** Please rate helpful posts ***
Highlighted

the client side is unchecked for the certificate, and i've reinstall the cert on the ACS server, but still getting the same error message.

any other clue?

Highlighted

What type of cert are you using? Also verify that it is installed in the computer account personal certificate store. It is definitely a certificate issue.

-Scott
*** Please rate helpful posts ***
Highlighted

If you are using MS CA then take a look at this doc:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

Instead of using Web Server, I choose User.

-Scott
*** Please rate helpful posts ***
Highlighted

there is an option of not using certs for peap, right? i do not want to use the cert for the authentication, but the cert is installed (generated) in the ACS. client side is disabled for getting the certs from the ACS..

hope this will clear your doubt..

Highlighted

PEAP like any EAP type, needs a certificate installed. I have tried to generate a certificate from ACS, but never got that to work. I got the same SSL error you got. Users have to obtain that cert form the ACS in order to continue with the authentication process.

-Scott
*** Please rate helpful posts ***
Highlighted

The easiest thing to so is to obtain a cert for the ACS SE from an online CA. The one I always recommend is www.rapidssl.com as they are reasonably cheap and the whole order process takes about half an hour to work through. If you generate the CSR on the ACS, obtain your cert and install it you can leave the check boxes checked on your clients as the Rapidssl root cert is built into Windows/IE.

The only thing to be careful of is that before you generate the CSR, remove the existing self-signed cert from the ACS SE. Failure to do so can sometimes lead to problems.