Showing results for 
Search instead for 
Did you mean: 

WLAN Clients fail PEAP Authentication

Level 1
Level 1


We are using ACS SE as RADIUS servers in our WLAN environment.  We are using PEAP+MSCHAPv2 with VeriSign Certificates on the ACS servers and ACS Remote Agents on separate servers validating user credentials to our AD.  We are not using EAP-TLS, and the laptops (XP SP3) do not have unique certs.  Each of our 3 global ACS appliances has its own unique VS certificate installed, and they have different expiration dates [a few months apart] - NONE are expired.

Starting several months ago, we have seen an ever increasing number of clients that fail the SSL handshake.  The error in the ACS Failed Attempts log is "EAP-TLS or PEAP authentication failed during SSL handshake".  In some cases the issue was solved by deleting the VeriSign "Class 3 Public Primary Certification Authority" certs from the client's "Trusted Root Certificate Authorities" store AND letting XP reinstall them.  This issue now affects about 20% of our laptops.

Over the holidays, the VS cert on one of our ACS appliances was due to expire, so we renewed it and installed the new cert.  After this action, the number of failed SSL handshakes (and unhappy clients) jumped x4.  Pointing the APs at one of our other ACS appliances (that has an older cert), immediately solved the issue for most clients and we were back to the original 20% that couldnt connect.

I talked with VeriSign, and they said it was a CISCO issue.  I think the issue might be with the Root or Intermediate CA certificates op the clients.  I know I could test this by manually importing new certificates on a few machines.  Is there a more definitive way to check the certificate authentication chain?  Am I barking up the wrong tree?


Mark W.

1 Reply 1

Nicolas Darchis
Cisco Employee
Cisco Employee

The problem is that since you are doing PEAP, it's most likely the client rejecting the ACS certificate. So it's a bit easy to say it's a cisco problem :-)

From experience, I know that Verisign regularly changes their CA chain. Like before they issued certificates from a specific root CA they have, then after that they only issue certificates from an intermediate CA, etc ...

My question is : when a laptop fails, does it always fail from that point on ?

If yes, then check carefully the certificate that the ACS is presenting (CN and "issued by") and compare to what the client has in its trusted list. Maybe there is a missing link somewhere. Compare also with the new certificate you have for your ACS.

To make sure, the from ACS can also be collected but I'm afraid we'll just see that it's the client rejecting the handshake.



Review Cisco Networking for a $25 gift card