05-06-2014 02:51 AM - edited 07-05-2021 12:46 AM
Hi guys,
I've been having problems with a local certificate on my ACS for authenticating wireless clients. The error I get when testing authentication is:
12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ACS local-certificate
I have done the following steps to create my certificate:
Downloaded CA Certificate for my certificate authority
Generated a signing request and then bind CA signed certificate (also added to client) and trust this certificate for EAP-TLS.
When using a self-signed certificate on the ACS, authentication works perfectly.
Has anyone come across this error before or any ideas on how to resolve it?
Thanks.
Solved! Go to Solution.
05-06-2014 02:57 AM
Hi, If you have followed the right procedure for certificates then further try this:
Error shows towards client, Check the EAP settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ACS certificate, or you can disable this option for testing. You can try to remove this wireless network profile, and recreate it and see if the pop up appears which asks you to validate the server's identity.
Regards
Dont forget to rate helpful posts
05-06-2014 02:57 AM
Hi, If you have followed the right procedure for certificates then further try this:
Error shows towards client, Check the EAP settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ACS certificate, or you can disable this option for testing. You can try to remove this wireless network profile, and recreate it and see if the pop up appears which asks you to validate the server's identity.
Regards
Dont forget to rate helpful posts
05-06-2014 03:30 AM
Thanks for the reply Sandeep. I have tried disabling the validate server certificate option in the client supplicant, but as I am using EAP-FAST, the returned authentication error is:
12177 No cipher for PAC-less EAP-FAST authentication. (which is even less helpful!!).
The exact procedure I have followed for the certificate creation is below (if helpful):
Download CA Certificate
Base64
Download CA Certificate
ACS CA:
Add certificate
Trust for EAP-TLS
Description: Root CA
Generate Signing Request:
System Admin --> Local Certificates --> Add
Generate signing reuqest
Cert Subject: CN=ACS-INSTANCE-DOMAIN-NAME
1024
SHA1
Export Outstanding Signing Request
Copy CSR
Request certificate from certsrv
Advanced
Submit a cert
Paste
Template:
Base 64
Download cert
Thanks again.
05-06-2014 03:44 AM
Check these two things :
1. I dont know if encoding method: Base 64 is correct or not(I have ISE and I am using DER format).
2. Certificate template should be webserver
3. Also try to change the key length and SHA version.
Regards
05-06-2014 03:49 AM
I'll give those a try. Thanks for your help Sandeep.
05-06-2014 06:34 AM
Thanks again Sandeep, the disabling of the server validation helped me track down the problem, which turned out to be an issue with our root CA. This has since been resolved and the certificates are now working.
07-17-2014 08:51 AM
What was the issue with root CA and how did it get resolved? I am seeing similar issue with PEAP and getting same error.
07-18-2014 02:11 AM
Hi.
It turns out that the certificate creation was not correct. I re-created the certificates and this resolved the problem.
Please let me know if you need further help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide