EAP-TLS or PEAP Authentication Failed During SSL Handshake

book

Article ID: 177495

calendar_today

Updated On:

Products

Network Access Control

Issue/Introduction

Why is EAO-TLS or PEAP authentication failing during ssl handshake?

Symptoms
Failed logon error: EAP-TLS or PEAP authentication failed during SSL handshake


Cause

This failure occurs when: •The server validation is not configured correctly on the client. •The machine certificate is not provisioned on the machine (when used with EAP-TLS). •Unable to provide a user certificate for authentication. •The AAA server certificate has expired. •The Root CA certificate is not installed or is not installed correctly on the client. •The same CA certificate is used for intermediate CA or Root CA certificate: Root CA duplication.

Resolution

If the Certification Authority (CA) or CISCO ACS (ACS) certificates have expired or are missing, distribute, renew, or update the certificates to the clients trusted root certificate store. Check if Network Time Protocol (NTP) is enabled on the client and ACS. Install the appropriate CA certificate on your system as Authenticated in-band PAC Provisioning requires a valid Trusted Root CA certificate.

We do not recommend self-signed certificates. Use a CA instead.


References
http://www.ciscosystems.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1.3/troubleshooting/guide/ecodes.html