Re: PEAP authentication failed during SSL handshake

uggie · ‎08-04-2004

it's killing me... my client is pressuring me big time for not being able to fix this issue!!! i might have to leave Cisco world if i dont fix this!

ok, i have the followings in my production;

AP1200 with 12.2(15)XR

ACS 3.3

MS CA server on the same box as ACS (win2000 sp3)

non-Cisco Card but CCXv2 (atheros supplicant)

LEAP works perrrrfect. but once switched to PEAP profile, i get this message "PEAP authentication failed during SSL handshake". I guess this is something to do with a cert. but I've gone thru CA installing procedure 1000 times already. no luck.

One thing i noticed before i got out of the office today, the ACS/CA box was on AA domain, and the user was BB domain. does it matter?? these domains may not trust each other or one-way trust... i don't have a clue right now.

One another thing, as i'm working on enterprise environment I wanted to accomplish to maintain a pretty good security level using PEAP with TKIP and some kinda key-management (wpa or cckm). and I noticed the following

even with LEAP,

* encryption mode tkip

* authentication key-management cckm

with the two options on, the client isn't even associating to the AP.

only combination that works is

* encryption mode tkip wep128

* authentication key-management cckm

or

* encryption mode tkip

* authentication key-management wpa

any clue?

many thanks in advance whoever share the life-saving knowledge!!!

gamccall · ‎08-04-2004

Does your client system recognize the root certificate for your ACS's cert?

uggie · ‎08-04-2004

Yes, I believe so.

I retrieved the root cert from CA and installed on the client machine to trust CA and CA-signed entity. is that what you are asking? When i go IE>Tools>Internet Option>Contents>Certificate>Trusted Root Cert, I can see the CA that signed Server Cert for ACS.