Cisco AAA/Identity/Nac :: WLC To ACS 4400 V5 To AD - 12309 PEAP Handshake Failed
Feb 25, 2010
I have a Cisco WLC talking to a ACS 4400 version 5.1 which in turn talks to Active Directory.Ive been trying to get 802.1x for wireless clients going, I have a cert on the ACS from verisign on the box but when users try to sign in they get 12309 PEAP handshake failed in the ACS RADIUS log.The cert was exported and placed directly on the testing laptop and at one point it all worked. I stepped away from it for 2 weeks to get a new internal CA built on a windows box, now coming back to it with the intent of issuing new certs to the ACS from the internal CA and thought I would check it to make sure all was good, but its not.Google doesn’t return happy results for “12309 PEAP handshake failed”, I opened a TAC case on it and they took my cert to their lab. Haven’t heard back.
View 6 Replies
ADVERTISEMENT
Mar 21, 2013
I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication. In short, all EAP-TLS authentication is failing with the following error. Below that is the relevant excerpt from the logs:
Authentication failed : 12508 EAP-TLS handshake failed
OpenSSLErrorMessage=SSL alert: code=0x233=563 ; source=local ; type=fatal ; message="X509 decrypt error - certificate signature failure", OpenSSLErrorStack= 597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown
[Code].....
View 5 Replies
View Related
Oct 31, 2010
I replaced an ACS certificate that had been installed as follows:
1. Generate CSR file and private key file, then send CSR to GeoTrust (Key length: 2048 and Digest to sign with SHA1)
2. GeoTrust send me a certificate. Issued by "GeoTrust SSL CA".
3. Install the certificate on the ACS. Restart ACS service.
4. ACS Certification authority setup. Issued by "VeriSign Class 2 Public Primary Certification Authority - G3"
5. Edit certificate trust list and select "VeriSign Class 2 Public Primary Certification Authority - G3" as trusted.
6. Enable EAP-TLS, then restarted the ACS service. The problem is when i try to enable EAP i get the error msg:Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.I searched on cisco and it said to disable the CSA, but in fact there is no CSA installed on this server.
OS: Win 2003 sp2Cisco ACS: Release 4.2(0) Build 124
View 4 Replies
View Related
Feb 21, 2011
WLC 5508 running 7.0.98.0
Site was running fine until the WLC had a hardware failure.
A new WLC was shipped out, was running 6.0.99 then manually upgraded to 7.0.98. Clients cannot authenticatewith recurrent logs messages like this.
*dot1xMsgTask: Feb 23 17:05:03.648: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2914 Max EAP identity request retries (3) exceeded for client 00:21:5c:<snip>*spamApTask0: Feb 23 17:05:01.926: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:629 Failed to complete DTLS handshake with peer 192.168.214.91
I have tried changing the key on the radius server to no avail.
View 4 Replies
View Related
Aug 29, 2011
I have a problem where wireless clients at a remote site cannot successfully authenticate through their WLC to my ACS 5.2 (Linux on VM). I have three sites where this authentication is functioning properly; at my fourth site the wireless clients fail with a PEAP error: "12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate". My wireless clients are Win7 using WPA2-Enterprise security type with AES encryption. The authentication method is set to Microsoft PEAP (EAP-MSCHAP v2) and the 'Validate server certificate' is not checked. My wireless access rules on ACS 5.2 are working well at three sites. My ACS 5.2 has a self-signed certificate that doesn't expire until August 2012. A laptop that can successfully authenticate at other sites cannot authenticate at the fourth site.
Phase one of the PEAP process is where the client authenticates the server certificate and the TLS tunnel is created so that in phase two user authentication credentials are sent through the TLS tunnel using EAP. My clients do not seem to be able to create the TLS tunnel because they reject the ACS local certificate; thus, user credentials are never passed and authentication fails. I have renewed the ACS local certificate and rebooted the ACS server but the problem persists. My WLAN on the WLC has its security policy set to [WPA + WPA2][Auth(802.1X)]. WPA uses TKIP and WPA2 uses AES; Auth Key Mgmt is set to 802.1X. The remote site where authentication fails is a different domain; the other three sites are the same domain.
I can see the failed authentication attempts in my ACS "Monitoring and Reports | Reports | Catalog | AAA Protocol | RADIUS Authentication" report. They all fail with the same PEAP error: 12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate. The ACS local certificate works fine at three sites--just not at the fourth. Is my problem the certificate or is it an 802.1X client problem?
View 4 Replies
View Related
Sep 25, 2011
I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.
View 1 Replies
View Related
Apr 23, 2013
how the certificates work when using PEAP on ACS 5.2.Currently we have clients which are Cisco wireless IP phones that are using the ACS server(s) for authentication to the wireless network. The phones are configured to use PEAP with server validation enabled. The phones have a Godaddy root certificate, and Godaddy intermediate certificates installed on them, (in addition they have all the certs that are on the phone by default). On the ACS server there is a certificate that is signed by Godaddy. This was creating doing the CSR process etc...
So from what I understand, because all the phones are set up to validate the server certificate, they require the public root certs and the intermediate certs that are installed on them, in order to validate the private cert that is on the ACS server. The private certificate (the one signed and issued by Godaddy), expires the middle of next year (2014) (a little ways off I know, but it is never too early be concerned about stuff). When we go to get a new private certificate for the ACS servers (or get a renewal) and when we install this new signed certificate onto the ACS servers…will all the clients still trust this new certificate, and everything will continue to work smoothly? Or will the clients all need to have new root certs installed, and new intermediate certificates installed? From what I can gather I think the first scenario should be the case, because the root certs and intermediate certs are there to trust certs that are signed by Godaddy, so as long as the new private certificate is signed by Godaddy everything should be okay.
View 8 Replies
View Related
Apr 3, 2012
I have been trying to figure out for days now how to get Windows XP/Windows 7 and Apple iPads to connect to a broadcasted SSID and authenticate with PEAP without getting prompted to verify a certificate that exists on ACS.
In Windows 7, I get a window that says the connection attempt could not be completed and get a warning that the certificate could not be validated. If I manually configure a wireless connection and specify PEAP to accept my trusted root certificate authority (in the default list), it doesn't prompt but having users do this is not acceptable and more work than to just verify when prompted. I have no control over the devices connecting so I can't push anything down using GPOs.
For the iPad, I get a similar message that the certificate authority can't be verified and you have to accept.
For the certs, I have tried GoDaddy and Starfield. How to get this working without getting prompted to verify/validate a certificate authority? If so, what cert are you using? I have the intermediate certs installed in ACS and Windows and iPads see them because as soon as I delete, the screen that pops up changes to my actual cert.
View 5 Replies
View Related
Sep 11, 2011
Any good guide for configuring PEAP with Machine Authentication to allow for domain login?This is a clean install on a new 5.2 install.We are moving from 4.X to 5.2 and i want to make sure i dont miss anything.
View 3 Replies
View Related
Aug 19, 2012
Cisco 5508 wireless controllerCisco ACS 5.1LDAP connection I have setup the wireless controller to do RADUIS authentication with the ACS 5.1 using LDAP. The setup is currently working, Brief info below on setup.
I setup the PC client to use WPA2-Enterprise AES and authentication method CISCO PEAP. When I connect to the SSID this will prompt for a username and password. I will enter in my AD details and the ACS with the LDAP connection will authenicate and on the network I go.
Now I want to add machine authentication with CERTIFICATES, each laptop and pc in our network has CA certificates installed.
way that I can add these certificates into the ACS 5.1 so I pretty much want to import them into the ACS. Once they are imported inside I want the ACS to check that the certificates are on the PC and then prompt for the AD username and password, and only once it meets these two conditions it allows the workstation onto the network.So it will be a two form authentication one with certificates and the other ldap.
View 18 Replies
View Related
Oct 20, 2012
We are currently evaluating ISE and I am stuck with the PEAP authentication (with Server side Cert).Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server. We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations. I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....
I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert). I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.)Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server?
View 8 Replies
View Related
Apr 29, 2012
We are deploying ACS 5.2 to replace our ACS 4.2 in production. I have two wireless networks setup as WPA2-Enterprise. One points at the ACS 4.2 and the other at the ACS 5.2. Both use the same SSL certificate with the same CN. Both authenticate Windows 7 clients. However, Windows 8 CP will only authenticate to the ACS 4.2 and not to ACS 5.2. The error it gives is:
11051 Radius packet contains invalid state attribute
It also shows no authentication method (most of the time).
Occasionally, I get a request that actually shows an authentication method of PEAP (EAP-MSCHAPv2) which is what it should be. On those requests, I get error:
24444 Active Directory operation has failed because of an unspecified error in the ACS.
Both ACs 4.2 and ACS 5.2 are pointed at the same Windows AD source.
View 3 Replies
View Related
Apr 18, 2011
I need this SSL certficate installation on my acs appliance 1120 for PEAP clients.I have exported SSL server certficate from my old acs 3.3 server which is under acscertstore folder issued by CA vendor . I need to reuse this same SSL certificate on my acs appliance .ACS appliance certficate setup requires following two certificate to be installed for PEAP clients authentication
1) Server Certificate
2) CA certificate
Server Certificate : For server certifcate , I have my old certificate which is exported from my old acs 3.3 server , when i tried to download my server certficate via ftp server on my acs appliance , its looking for private key & private key file .Private key & file is generated intially on CSR request when this server certificate is requested to CA vendor for my old acs 3.3 . I dont know the private key password . If i need private key & file , then i need to generate new CSR from my acs appliance and i need to submit this CSR output to my CA vendor to generate new SSL server certificate .which is something like new server certificate request .CA certficate : For CA certficate , when i open my existing SSL certificate under detials tab in CRL distribution point , i could see below URL . whn i open this URL it giving certificate revocation list . [1]CRL Distribution Point.
View 10 Replies
View Related
Apr 8, 2013
Managed to guest LWA working with ISE for wireless guest portal access? I have Cisco 4400 WLCs running latest 7.0 code and ISE 1.1.2.All guest portal examples seem to be CWA which only works on 7.2 code.Am I without hope getting this working on 7.0 code?
View 3 Replies
View Related
Apr 28, 2012
Although, ACS states its installed, after going through the startup. However when I do show application nothing comes up. When I do a application start acs, %Application failed to start.
View 7 Replies
View Related
Jun 5, 2013
I've just had to rebuild my ACS appliance with new hardrives but I am unable to register the devices to each I get a system error. I thought it may have had something to do with the rebuilt device not being joined tothe domain but it has now been joined albeit using a different ad account, but still cannot register to primary.
View 11 Replies
View Related
Mar 12, 2013
I have already set up a lab comprising of 1x2950-24 switch, 2x3750-24T in stack mode and 2x MS Domain Controller with AD 2008 Servers and NPS enabled (Domain level 2008). I use NPS as a Radius Server. I am trying to test the 802.1x framework in two scenarios.
1. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant. As authenticator use the 2950 switch and as authentication servers I use the two NPS integrated in MS DCs. Everything is working fine as I expected with basic configuration guidelines from Cisco & Microsoft.
2. I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant (the same as before). As authenticator I use the 3750 Stack switch and as authentication servers I use the two NPS integrated in MS DCs (the same as before). I have configured the supplicant for both machine or user authentication in both scenarios. However the client never pass the authentication in the second one. I disconnect and connect the same supplicant in the 2950 switch and the authentication is completed successfully. Getting back to the 3750 stack the authentication failed and the laptop gains network access in the configured Auth-Failed Vlan. I have tried several configuration changes without success. I cannot understand why does this happen. I have made some debugs and I am sending them a long with a partial basic configuration of 3750 stack switch.
View 7 Replies
View Related
Sep 11, 2012
I´ve implemented 2 Cisco ISE v1.1 in HA to run MAB and 802.x Authentication / Authorization. Using Local ISE DB and Active Directory as an External Identity Source for wireless and wired users and devices. This was working fine 2 weeks ago after finishing installation.
My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.[code].....
View 3 Replies
View Related
Jun 27, 2012
we have a ACS server V4 installed on W2003 server ,when we make a telnet to an equipement on the wan the authentication pass on the first connexion ,but when we telent to a switch on the lan the first connxion fails and we need to retry to login .when i check the field attempt log on the ACS i dont find the field attempt.i find this issue in ALL switch on the LAN ,from the switch i can ping the the ACS server .this problem appear frequently?
View 1 Replies
View Related
Dec 27, 2012
I have ACS 5.3.0.40 Primary Secondary Authenticators , of which the Scheduled backup has stopped.When checked the : Monitoring Configuration > System Operations > Data Management > Removal and Backup > Incremental Backup , it had changed to OFF mode. without any reason.Later i did the acs stop/start "view-jobmanager" and initiated the On-demand Full Backup , but no luck, same error reported this time too.
View 2 Replies
View Related
Oct 14, 2012
While installing ISE 3395 i am getting error failed to start DB!
Database is not available withintimeout of 240 seconds.this could be reason of incorrect network configuration or lack of resources on the appliance or VM, run the folloing CLI to re-prime database 'application reset-config ise'
View 3 Replies
View Related
Dec 5, 2012
I am gettning warning messages in ISE saying
Cause:Dynamic Authorization Failed for Device: 0002SWC003 (switch)Details:Dynamic Authorization Failed
It is not only on that switch but on all switches I have configured. I am using 3560 IPBase 12.2(55)SE6. I have configured them according to Trustsec 2.1. My end devices are none-802.1x. I can't figure out what is causing this error.
The thing is that I have not experienced any problem. In Live Authentications there are some 'Unknown' and 'Profiled' devices hitting the DenyAccess rule, but other then that everying is beeing Authorized fine.
View 8 Replies
View Related
Jan 8, 2013
Having an issue where a user will plug a PC into a switch. The switch does a MAB authenticaiton and the MAC is not located in the ACS server. It logs the failed attempt, but when the PC is removed from the switch, the failed attempts keep getting logged until the port is bounced. Any way to keep the attemps from happening after the PC is removed? If not, any way to make it stop without bouncing the port?
running ACS version 5.2.0.26
switch port config:
interface GigabitEthernet1/0/2
sw access vlan 2 sw mode access
authentication control-direction in
authenticaion host-mode multi-auth
authentication port-control auto
mab
spanning-tree portfast
View 2 Replies
View Related
Jan 29, 2012
I have configured Radius authentication on Windows 2008 server (NPS) The following configuration is working perfectly on Cisco Switch 3560. [code]But, the same configuration is not working on Cisco Catlyst Switch 6509 (C3560-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)/
View 2 Replies
View Related
Sep 19, 2011
have a ACS 5.2 version installed on Vmware . I purchased below liscense
Product Name : L-CSACS-5-LRG-LIC=
Product Description : L-CSACS-5-LRG-LIC= : ACS 5 Large Deployment License (Electronic Delivery)
When i am trying to upgrade the liscense i am getting an Error " Liscense file installation failed : The liscense file must contain single base liscense "
View 2 Replies
View Related
Nov 29, 2011
I am facing an issue with several ACS appliances (some other work well) when upgrading to version 5.2.0.26.8.
When I launch the command acs patch install, I receive the following error message (we use FTP):
Failed to copy file '5-2-0-26-8.tar.gpg' from repository PatchRepository
(Error -302)
% Error: patch install 5-2-0-26-8.tar.gpg from repository PatchRepository - transfer failed (code 1)
This happens on three appliances but I could successfully upgrade 4 other appliances.
What is the reason behind this error code ? What could I do solve it ? I have already tried to create another repository on another server, without success.
View 5 Replies
View Related
Feb 2, 2012
We have a group in TACACS ACS4.2. I configure it can do show command. When logged, it can do show command some parameters, like show ip interface, but it cannot do show running-config. it says "command authorization failed".
View 2 Replies
View Related
May 5, 2011
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1).
tacacs-server key 7 "xxxxxxxxxxxxx"aaa group server tacacs+ tac_admin server xx.xx.xx.xx
aaa authentication login default group tac_admin local aaa authentication login console group tac_admin local aaa accounting default group tac_admin
View 2 Replies
View Related
Mar 14, 2013
I have a pair of ASA 5520 firewalls running in active/standby mode on 8.3.2.34 code. My configuration performs authentication/authorization into ACS 5.1, however command authorization is failing when I try to execute a command on the standby from the active unit...
failover exec standby dir disk0:/
Fallback authorization. Username 'adminuser' not in LOCAL database Command authorization failed
I don't even see the authentication attempt going into ACS.
View 2 Replies
View Related
Jan 23, 2013
I´ve try to configure a VPN IPSEC between a Cisco 7200 and Juniper ISG2000.The tunnel looks like good but when a ping is sending, I´ve packets lost and getting the next error:IPSEC(epa_des_crypt): decrypted packet failed SA identity check.My configuration en both sites is the follow: [code] What is the possible problem here. mea be in the Cisco 7200 configuration or in ISG Configuraton??
View 4 Replies
View Related
Apr 14, 2011
I have a question its posible to authenticate an cisco phone and PC with the same vlan(voice and data)when i do this configuratión , the phone and pc dont work. The phone display registering and never finished.interface FastEthernet0/5 switchport mode access switchport voice vlan 1 authentication event fail action authorize vlan 11 authentication event no-response action authorize vlan 11 authentication host-mode multi-domain authentication port-control auto authentication periodic authentication violation protect mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 3 spanning-tree portfastend.
View 1 Replies
View Related
Jan 3, 2012
While working in a 3560 all of a sudden I received the message "command authorization failed" while trying to issue certain commands.
It appears I lost my priv 15 authorization. We have seen this before, we do not have access to the ACS to trouble shoot the issue.I tried logging in a 2nd and 3rd time using tacacs and received the same error whenever I issued a command such as dir flash: , copy tftp flash or show run. At the time I was trying to copy IOS to the switch, I had a co-worker log in and it was fine for him and he completed the copy.
Once completed I logged back in and all was fine again. We suspect an issue with ACS? possibly a timeout of our TACACS authorization ?
View 1 Replies
View Related
Jan 8, 2013
I am getting Authorisation requests failed log entries for a user however there aren't any successful authentication logs.
The user would never be able to authenticate as it no longer exists in ACS (it was the user for someone who left the company 3-4 month ago)
The other wierd thing is that the caller-id is 0.0.0.0 BTW the NAS is a Cisco ASA firewall running 8.0(3)
View 4 Replies
View Related
