Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1004
Views
0
Helpful
3
Replies

Certificate problem with EAP-TLS/PEAP authentication

depwanguy
Level 1
Level 1

‎04-05-2005 09:45 AM - edited ‎07-04-2021 10:38 AM

Hello,

I am having an issue getting EAP-TLS/PEAP (EAP-GTC) authentication to work. I am using a MS Server 2003, Standard Ed. server for my CA and a separate MS Server 2003, SE for my ACS server. I have completed all configuration steps outlined by Cisco and MS, but the server-side certificate doesn't seem to be right.

When I go to the CA's web site from my ACS box, I select Request Certificate -> Advanced Certificate Request -> Create and submit a request to this CA.

Under Certificate Template, I select Web Server. Once I do this, the 'Mark keys as exportable' option box is greyed out, which prevents me assigning the private key to the certificate. If I continue, generate, and install the certificate as is, the statement 'You have a private key that corresponds to this certificate' does not appear in the General section of the certificate properties. The client-side certificate installs with all prerequisites met, including the above statement.

I try to authenticate with the client and receive the familiar 'EAP-TLS or PEAP authentication failed during SSL handshake' error, which tells me I still have a certificate problem.

I appreciate any assistance with this matter.

Labels:
0 Helpful
3 Replies 3

mchin345
Level 6
Level 6

‎04-11-2005 10:52 AM

Microsoft has changed the Web Server template with the release of the Windows 2003 Enterprise CA so that keys are no longer exportable and the option will be greyed out.

We will have to create a new template that does so. Here are the steps:

1. Start > Run > certmpl.msc

2. Right-click Web Server template and choose Duplicate Template

3. Name the template something easy to identify like ACS.

4. Go to the Request Handling tab and check Allow private key to be exported.

5. Click on the CSPs button and check Microsoft Base Cryptographic Provider v1.0 and

click OK.

6. All other options can be left at default.

7. Click Apply and OK.

8. Open the CA MMC snap-in.

9. Right-click Certificate Templates and choose New > Certificate Template to Issue.

10. Choose the new template you created and click OK.

11. Restart the CA.

The new template will be included in the Certificate Template dropdown.

0 Helpful

depwanguy
Level 1
Level 1
In response to mchin345

‎04-12-2005 05:22 AM

Mary,

Thanks so much for the info. I made the modifications, but now I get an error which I have attached. Is there something else I need to do? Again, thank you!

Brian

Preview file
117 KB
0 Helpful

coxendine
Level 1
Level 1
In response to depwanguy

‎06-14-2005 08:45 AM

Are you using Win2K as your AD Domain controller? If so the setup you have will not work. You'll have to load the CA server on a Win2K Server to make it work.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card