Setting up authentication Radius ACS 4.0.2

Similar Questions

• Authentication Radius ACS with WLC 5508 and AD 2012 5.5 failure

  Hello

  I need help on these errors.

  Here is my configuration: WLC 5508 7.6.130.0-> ACS 5.5.0.46-> AD 2012

  I have (2) errors in ACS 5.5

  12514 EAP - TLS failed SSL/TLS handshake because of unknown CA in the client certificate chain

  22044 result of identity politics is configured for certificate-based authentication methods but based received password

  Already installed the CA cert and cert local in ACS as well as in the client PC.

  Please see screenshots

  OK, in this case:

  1. you will need to properly configure the Windows pleading before that this can work. You need to set the type of authentication and the trusted certification authority. If the certification authority is not available in the list of certificates, you need to import

  2. If you do PEAP then your identity store should be Active Directory and no profile authentication certificate. The certificate authentication profile is used for the basis of certificates (EAP - TLS) authentication.

  Thank you for evaluating useful messages!

• Try to set up authentication RADIUS on ASA5505 8.3

  I set up my firewall with local authentication for a regular dynamic VPN put in place, but I need to change it to authenticate with the server. The server is configured and ready to go, but I want to make sure that the firewall will also be.

  Here is my config:

  ASA # sh run
  : Saved
  :
  ASA Version 8.3 (1)

  ASA host name
  mydomain.local domain name
  activate the encrypted password of GmSL9emLLUC2J7jz
  2KFQnbNIdI.2KYOU encrypted passwd
  names of

  interface Vlan1
  nameif inside
  security-level 100
  IP 192.168.1.1 255.255.255.0

  interface Vlan2
  nameif outside
  security-level 0
  PPPoE client vpdn group pppoe_group
  IP address pppoe setroute

  interface Ethernet0/0
  switchport access vlan 2

  interface Ethernet0/1

  interface Ethernet0/2

  interface Ethernet0/3

  interface Ethernet0/4

  interface Ethernet0/5

  interface Ethernet0/6

  interface Ethernet0/7

  boot system Disk0: / asa831 - k8.bin
  passive FTP mode

  clock timezone CST - 6
  clock to summer time recurring CDT

  DNS server-group DefaultDNS
  mydomain.local domain name

  permit same-security-traffic inter-interface
  permit same-security-traffic intra-interface

  network obj_any object
  subnet 0.0.0.0 0.0.0.0

  object obj-vpnPool network
  192.168.101.0 subnet 255.255.255.0

  the SERVER01 object network
  the host 192.168. *. *

  object obj-internal network - 192.168.1.0
  subnet 192.168.1.0 255.255.255.0

  network of the SERVER02 object
  the host 192.168. *. *

  network of the SERVER03 object
  the host 192.168. *. *

  object obj-OutsideIP network
  Home 74.164.148.6

  splittunnel list standard access allowed 192.168.1.0 255.255.255.0

  access extensive list ip 192.168.101.0 outside_in allow 255.255.255.0 192.168.1.0 255.255.255.0
  access extensive list ip 192.168.1.0 outside_in allow 255.255.255.0 192.168.101.0 255.255.255.0

  outside_in list extended access permit tcp any host 192.168. *. * eq www
  outside_in list extended access permit tcp any host 192.168. *. * eq https
  outside_in list extended access permit tcp any host 192.168. *. * eq smtp

  pager lines 24
  asdm of logging of information

  Within 1500 MTU
  Outside 1500 MTU

  IP local pool vpnpool 192.168.101.50 - 192.168.101.100

  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm - 524.bin
  don't allow no asdm history
  ARP timeout 14400

  NAT (inside, outside) source static obj-internal - 192.168.1.0 obj-internal - destination 192.168.1.0 static obj-vpnPool obj-vpnPool

  network obj_any object
  NAT dynamic interface (indoor, outdoor)

  the SERVER01 object network
  NAT (inside, outside) interface static tcp smtp smtp service

  network of the SERVER02 object
  NAT (inside, outside) interface static tcp www www service

  network of the SERVER03 object
  NAT (inside, outside) interface static tcp https https service

  Access-group outside_in in external interface

  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00

  dynamic-access-policy-registration DfltAccessPolicy

  the ssh LOCAL console AAA authentication
  AAA authentication LOCAL telnet console
  AAA authentication http LOCAL console

  Enable http server
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 inside

  No snmp server location
  No snmp Server contact

  Community SNMP-server
  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto dynamic-map-RA - VPN 1 set of transformation-ESP-3DES-MD5
  Crypto dynamic-map-RA - VPN 1 set of security association lifetime seconds 28800
  cryptographic kilobytes 4608000 life of the set - the association of security of VPN - RA 1 dynamic-map
  Crypto than VPN-RA - dynamic-map 1jeu reverse-road
  Crypto map 65535 ipsec-isakmp dynamic VPN - RA RA - VPN
  RA - VPN interface card crypto outside
  crypto isakmp identity address
  crypto ISAKMP allow inside
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  md5 hash
  Group 2
  life 86400

  crypto ISAKMP policy 65535
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400

  ISAKMP crypto 10 nat-traversal
  crypto ISAKMP ipsec-over-tcp port 1000

  Telnet 0.0.0.0 0.0.0.0 inside
  Telnet 0.0.0.0 0.0.0.0 outdoors
  Telnet timeout 60

  SSH 0.0.0.0 0.0.0.0 inside
  SSH 0.0.0.0 0.0.0.0 outdoors
  SSH timeout 60

  Console timeout 0

  management-access inside

  VPDN group pppoe_group request dialout pppoe
  VPDN group pppoe_group localname [email protected] / * /
  VPDN group ppp authentication pap pppoe_group
  VPDN username [email protected] / * / password *.

  dhcpd dns 192.168. *. * 4.2.2.2
  dhcpd lease 8400
  dhcpd ping_timeout 750
  dhcpd mydomain.local domain
  dhcpd outside auto_config

  dhcpd address 192.168.1.2 - 192.168.1.33 inside
  dhcpd allow inside

  priority queue inside
  priority-queue outdoors

  a basic threat threat detection
  Statistics-list of access threat detection

  no statistical threat detection tcp-interception
  WebVPN

  internal examplevpn group policy
  attributes of the strategy of group examplevpn
  value of server DNS 192.168. *. * 4.2.2.2
  Protocol-tunnel-VPN IPSec
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list splittunnel
  mydomain.local value by default-field

  vicky 9fO.vlLc77pAFoHp of encrypted privilege 15 password username
  username otherusers encrypted password privilege 10 hhckff6QokyoRdar
  examplevpn IKg0RMHfprF6Ya3u username encrypted password

  admin DwCTJcBn.Q0dDe9z encrypted privilege 15 password username
  attributes of user admin name
  VPN-group-policy examplevpn

  type tunnel-group RA - VPN remote access
  type tunnel-group examplevpn remote access
  tunnel-group examplevpn General-attributes
  address vpnpool pool
  authorization-server-group (outside LOCAL)
  Group Policy - by default-examplevpn

  examplevpn group of tunnel ipsec-attributes
  pre-shared key *.

  Global class-card class
  match default-inspection-traffic

  class-map class_sip_tcp
  sip port tcp eq game

  class-map inspection_default
  match default-inspection-traffic

  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512

  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect the skinny
  inspect sqlnet
  inspect the tftp
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the icmp
  inspect the amp-ipsec
  Review the ip options
  class class_sip_tcp
  inspect the sip

  global service-policy global_policy
  context of prompt hostname
  Cryptochecksum:3edb25d4a550f0394e8c1936ab3326ad

  Did I all I have to add / is this correct?

  RADIUS protocol AAA-server RADIUSvpn
  Max - a attempts failed 5
  AAA-server vpn (DMZ) host 172.16.1.1
  interval before new attempt-1
  timeout 30
  key cisco123

  type tunnel-group RA - VPN remote access
  General-attributes of RA - VPN Tunnel-group
  address vpnpool pool
  authentication-server-group RADIUSvpn

  I'm still relatively new to firewalls and find the overwhelming online help sometimes. Help, please

  Vicky

  Can you comapre the config with the doc and see if something may be missing?

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808c3c45.shtml

  Use the troubleshooting area in the doc to find the DN, I think that you are missing a part of the DN string. Sorry for the late response

• Devices configured for authentication under ACS

  Hi friends,

  Would like to know how many devices can be configured for authentication under ACS version 5.6.0.22 (Cisco Secure Network Server 3415).

  I'm not able to find the same everywhere.

  Concerning

  JN

  Hello

  It depends on the license that you install on the ACS 5.6.

  All deployments of 5.6 ACS supports customers AAA 100 000, 10,000 network, 300,000 users and 150 000 host device groups. 5.6 ACS collector server log can handle 2 million records per day and 750 messages per second for stress sent by the various nodes of ACS in the deployment on the server of log collector.

  Please visit this link:

  http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...

  With the Base license, a Cisco Secure ACS 5.6 appliance or virtual machine software can support the deployment of up to 500 devices of access network (DNA) such as routers and switches. These are not authentication, authorization and accounting clients (AAA). The number of network devices is based on the number of unique IP addresses that are configured. The limit of 500-device is not a limit for each individual device or the instance, but a limit of scale that applies to a set of instances of Cisco Secure ACS (primary and secondary instances) that are configured for replication.

  The optional add-on of large deployment license allows deployment to support over 500 network devices. Only one major deployment license is required by the deployment because it is shared by all instances.

  Please visit this link:

  http://www.Cisco.com/c/en/us/products/collateral/security/secure-access-...

  Kind regards

  Aditya

  Please evaluate the useful messages.

• Authentication Radius Cisco with Windows NAP with encrypted authentication

  I need authentication radius configuration for Cisco IOS devices for device management. My radius server is on Windows 2008 R2.

  Can I implement this with encrypted authentication? In the attached diagram, can what protocol I use for encrypted authentication?

  According to some sites, we need activate authentication in clear text. All those put in place secure as MSCHAP authentication?

  Hello

  You activate the text authentication (PAP) clear. Don't forget Ray sends the username in clear but encrypts the password. You can confirm this take a wireshark capture. You will also get the RADIUS encryption using a key to Ray long and complex.

  If you want to encrypt the user name and password, then you would use GANYMEDE

  Thank you

  John

• Authentication Radius 4.2 ACS and RADIUS Accounting

  Is it possible to configure 4.2 ACS to authenticate users of a wireless network (with autonomous APs) through RADIUS while I use the same ACS to provide the command represent the points of access via GANYMEDE +? This issue came out because when I configure the APs 'AAA Clients' under 'Network Configuration' of the ACS server (necessary config for authentication APs and end users), the authentication method used is the RADIUS (Cisco Aironet) and it prevents the generation GANYMEDE server command accounting reports under "reports and activities > GANYMEDE + Administration.

  Any idea on how to solve this problem?

  Thank you

  Antonio

  Hello

  Need to add a different hostname for the AP... IE, RPOS and APt, where you can use the same IP n but use radius for Ganymede and the other.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Add under "Setting up groups" RADIUS attributes ACS 4.2

  Hi Security Experts,

  I need to add RADIUS attributes to a custom under the 'Groups Configuration' page provider ACS 4.2. From now on, I see of Cisco Aironet RADIUS attributes.

  IETF RADIUS attributes etc in the page "setting up groups. How can I ensure that the RADIUS attributes for a provider also appear on this page?

  PS: I have the useful messages rate

  Thank you

  Boudou

  Under the "Interface", you can set which you want to view the RADIUS attributes. It is probably just a missing check for your provider.

  The Options for RADIUS are described here:

  http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RADAtr.html

• Interaction of Ganymede + and radius ACS 2.6 download PIX ACLs

  We have ACS v2.6 running and control our connection to remote, routers and switches access. We are now looking to add support for a PIX firewall internal and want to use downloadable ACS ACL for the PIX. (to control outbound traffic through the PIX for authenticated users)

  We have achieved this help attributes RADIUS of Cisco IOS/PIX

  [009\001] cisco-av-pair on ACS. (and ACL restrictions of access on access to users)

  However the problem we noticed is that any user is valid in our database of CiscoSecure or SecureID can authenticate and gain access to through the firewall, even if they are not allowed to do this (and as it is by default on PIX from inside to outside is allowed unlimited full access).

  Was then imposed restrictions on network access on the CiscoSecure ACS for our PIX - to allow only access of corresponding user groups, but it did not work with RADIUS only GANYMEDE + (I guess that's because the RADIUS does not support approval).

  We must work with GANYMEDE + and the passes of the ACS to the bottom of the ACL number/ID for the PIX for users allowed.

  Question: We want to use downloadable s ACL of ACS for the PIX (for reasons of central support) is possible using GANYMEDE + and if yes how we re CiscoSecure ACS suitable for the ACL example below;

  pix_int list access permit tcp any host 10.x.x.x eq 1022

  pix_int list access permit tcp any host 10.x.x.x eq 1023

  Thank you

  Download ACL works only with the RADIUS, as described here:

  http://www.Cisco.com/warp/public/110/atp52.html#new_per_user

  You can continue to set the ACL on the PIX itself and simply pass the ACL via GANYMEDE number (as shown here: http://www.cisco.com/warp/public/110/atp52.html#access_list), but you can actually spend the entire ACL down via GANYMEDE, sorry.

• Authentication of ACS in the VPN tunnel

  We want to enable the ACS authentication to connect to different routers (Cisco 881 s) we have obtained who are communicating with our WAN via VPN tunnels. We want to avoid using public IP of the router to communicate and pass information to user/password with the ACS server and rely on the IP of the server private instead. The problem is that external interfaces of the router connect to the Internet using public IP addresses and when the router wishes to communicate with the ACS server it will use its IP of the interface to the public and which will fail. We can ping on the server of course when we set the source to the internal LAN IP.

  The question is are there any way to have the router contact ACS through the VPN tunnel using a private IP address?

  config is used and tested with success on local equipment:

  AAA new-model

  RADIUS-server host 10.x.x.x single-connection key xxxxxx

  AAA authentication login Ganymede-local group local Ganymede

  AAA authorization commands x Ganymede-local group Ganymede + if authenticated

  AAA authorization exec Ganymede-local group Ganymede + authenticated if

  See the establishment of privileges exec level x

  line vty 0 4

  Ganymede-local authentication login

  authorization controls Ganymede-local x

  -ACS ping to the router (WAN via VPN connection) when using public IP address of the router as the source address:

  RT881 #ping 10.x.x.x

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 10.x.x.x, time-out is 2 seconds:

  .....

  Success rate is 0% (0/5)

  -ACS ping to the router (WAN via VPN connection) when using IP private of the LAN as source address:

  RT881 #ping source 10.x.x.1 10.x.x.x

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 10.x.x.x, time-out is 2 seconds:

  Packet sent with a source address of 10.x.x.1

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 72/72/76 ms

  Looking forward to your responses and suggestions.

  Thanks, M.

  Hey Maher,

  You can use the command 'Ganymede-source interface ip' or 'RADIUS source-interface ip' for your scenario.

  I hope this helps!

  Kind regards

  Assia

• Authentication RADIUS with ISE - a wrong IP address

  Hello

  We use ISE for radius authentication.  I have setup a new Cisco switch stack to one of our branches and set up the device network in ISE.  Unfortunately, in trying to authenticate, ISE logs show a lack of "Impossible to locate device network or Client AAA" the reason for this failure is that the log shows that it comes from a bad IP address.  The IP address of the switch is 10.xxx.aaa.241, but the logs show that it is 10.xxx.aaa.243.  I removed and added the configs of RADIUS on ISE and the switch, but it is always so que.243.  There is another switch battery location (same model, IOS etc), which works correctly.

  The config of RADIUS on the switch:

  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login Comm group local RADIUS
  the AAA authentication enable default
  RADIUS group AAA authorization exec default authenticated if

  radius of the IP source-interface Vlanyy
  10.xxx.yyy.zzz RADIUS server
  10.xxx.yyy.zzz auth-port 1812 acct-port 1813 ipv4 address
  abcdefg 7 key

  The journal of ISE:

  Overview
  5405 RAY lost event
  Username
  ID of the endpoint
  Profile of endpoint
  The authorization profile

  Details of authentication
  Source Timestamp 2014-07-30 08:48:51.923
  Receipt 08:48:51.923 Timestamp 2014-07-30
  Policy Server ise
  5405 RAY lost event
  11007 failure reason could not locate device network or Client AAA
  Resolution check if the device network or AAA client is configured in: Administration > network resources > network devices
  Root cause could not find the network device or the AAA Client while accessing NAS by IP during authentication.
  Username
  Type of user
  ID of the endpoint
  Profile of endpoint
  IP address
  Identity store
  Membership group
  ID of Session verification
  Authentication method
  Authentication Protocol
  Type of service
  Network device
  Type of device
  Location
  10.xxx.AAA.243 address IP NAS
  ID of Port NAS tty2
  Virtual NAS Port Type
  The authorization profile
  Status of the posture
  Security group
  Response time

  Other attributes
  ConfigVersionId 107
  Device port 1645
  DestinationPort 1812
  Radius protocol
  NAS-Port 2
  AcsSessionID ise1/186896437/1172639
  IP address of the device 10.xxx.aaa.243
  CiscoAVPair

  Measures
  Request for access received RADIUS 11001
  11017 RADIUS creates a new session
  11007 could locate no device network or Client AAA
  5405

  As a test, I set up a device that uses the adresse.243.  While ISE claims that it authenticates, it really doesn't.  I have to use my local account to access the device.

  Any advice on how to solve this problem would be appreciated.  Please let me know if you need more information.

  Beth

  Remove your (RADIUS-server host 10.x.x.x... ect) tele-health and try this command and see if the problem goes away. The new section is the non-standard expression allows to see if that helps.

  RADIUS-server host non-standard key of acct-port of the auth-port 1645 10.xxx.xxx.xxx 1646 *.

• Cisco Nexus to use authentication Radius AAA using Microsoft 2008 NPS

  I have a Nexus 7010 running

  I was wondering if you can help me with something. I'm having a problem with the approval of the order through our aaa config. We have not an authentication problem of command approval that does not work. From what I've seen and read Nexus NX - OS 6.x has not all orders for the aaa authorization, unless you configure GANYMEDE +. My basic config is below if you can help would be much appreciated.

  > ip source interface mgmt radius 0

  > key RADIUS-server XXXXX

  > host X.X.X.X key radius server authentication XXXXX accountant

  > RADIUS-server host X.X.X.X XXXXX key authentication accountant aaa

  > authentication login default group aaa authentication Radius_Group

  > RADIUS server logon group console local aaa Radius_Group

  > server X.X.X.X

  > server X.X.X.X

  > mgmt0 interface-source

  Also nobody how to configure Microsoft 2008 NPS as Raduis server to work with Nexus? I read a few post that suggests to change the

  Shell: roles = "vdc-admin" in the value field of the attribute in the RADIUS server

  Anyone know if it works?

  Thank you

  I haven't used NPS before but sounds like you are on the right track. As Ed mentioned in his post, GBA, you can set the type of protocols that you will accept during an authentication session. Authentication Nexus sessions is considered as PAP/ASCII, so you should be good to go. I don't have a Nexus switch to test with, but if you can use wireshark to capture the session and see the exact protocol / method used. However, I am sure that PAP is the way to go:

  http://www.Cisco.com/c/en/us/TD/docs/switches/Datacenter/SW/4_1/NX-OS/se...

  I also found the link that you might find useful:

  http://www.802101.com/2013/08/Cisco-Nexus-and-AAA-authentication.html

  Thank you for evaluating useful messages!

• Setting up authentication by using ad group mappings

  Hello

  I recently installed ACS 5.3 and I try to configure as follows:

  (1) devices are separated in places and device types.

  (2) ACS performs authentication by using AD.

  (3) the user must be in the specific ad group in order to access a device specific type/location.

  I'm testing my setup with WCS. The server has been added to the list of network devices and placed in the appropriate place/device type.

  Under the rules of access, I have set up a named (NAAS-WCS) Access Service that has an identity and mapping group structure.defined as follows:

  * Identity: Condition (NDG:Device Type-> in all Types of devices: WC), results (identity store: AD1).

  * Mapping group: (Condition: AD1:ExternalGroups), results (identity group: all groups: SBD-SEC-ENG).

  What I'm trying to implement is the following rule:

  If (device in device type WC) and (the user in the Group G-CRP-SEC-ENG) then allow access otherwise block.

  I added the groups in the AD of the server configuration and used this group in the definition of the rules. The error I get from Ganymede when I try to open a session is attached in jpeg format.

  Anyone know where I am going wrong? It's the first time I used the new ACS system.

  Thank you

  Sami Abunasser

  I had a similar problem, since any request came as CHAP/MD5, which is not the same as MS-CHAP v1 and v2 that we chose the GBA.

  How do you try to authenticate users? Web page or dot1x? If it's a web page, choose PAP as authentication and you should be fine.

• ISE device administration authentication Radius possible?

  Hello

  does anyone know if the edge RADIUS authentication and authorization administration is possible with the actual release of ISE? I know that GANYMEDE will be available in future releases.

  Concerning

  Joerg

  Yes it is possible according to the "Ask the experts" forum

  --------------------------

  https://supportforums.Cisco.com/thread/2172532

  "If you use RADIUS for the administration of the system, ISE can be used using authorization policy elements that return Cisco av-pairs."  But personally, I think that ACS is currently superior to ISE for this task. »

  --------------------------

  In any case, I'm about to test "device admin" and "network access" at the same time in the same switch with Radius and ISE.

  Please rate if this can help

• ISE - authentication radius AAA for n access

  Hello

  I have configured the switches to use the ISE as a Radius Server to authenticate with, on the ISE, I configured an authentication strategy

  for the 'DNA' using the devices 'Wired' group that points to the source of identity AD to authenticate.

  All testing switches access connection we found 2 results:

  1.A domain user can connect to the switch as expected.

  2. each domain user that exists in the source of advertising identity can connect, this is an undesirable result.

  So I will try to find a way to restrict access to the ENAD to only a specific group belonging to the announcement, for example the group/OU

  of the IT_department only.

  I did not, would appreciate any ideas on how to achieve this.

  Switching configurations:

  =================

  AAA new-model

  !

  AAA authentication login default local radius group

  !

  ISE authentication policy

  ==================

  !

  Policy name: DNA authentication

  Condition: ": a device Type equal to: all Types of devices #Wired.

  Authorized Protocol: default network access

  Use the identity source: AD1

  !

  No problem is how to set up policies, don't forget to evaluate any useful comments when you are finished testing.

  Thank you

  Tarik admani

• Authentication of ACS with PEAP / MSCHAPv2 - customer rejecting Server

  Hello

  Have a network setup wireless with Cisco 1131AG towers, c6500 WISN module test (4404-WLC) is authenticating with a Cisco ACS appliance (1113) using PEAP and MSCHAPv2 authentication.

  The laptops have the Cisco SSC customer (in collaboration with Mgmt SSC utility).

  A self-signed certificate created on the fate of ACS and root exported and installed on the laptop computer of TCL.

  IF CSSC box 'validation Server' is not selected, the authentication process works and I am able to connect to the network.

  IF CSSC "Validation of server" is checked, the authentication will fail.

  The problem, it appears that the customer refuses the server certificate:

  "Server certificate chain is not valid.

  The GBA, in the 'fail' authentication logs, message the following is stated:

  "Authentication failed during SSL negotiation" (which obvioously refers to the strand of string not valid)

  Any ideas?

  When you create a self-signed certificate, is there a specific directory, when the server certificate must be located? as c:\cert\certificate.cer

  Also, the certificate name must match host name of GBA?

  i.e." CN ="

  Any advice or pointers would be appreciated.

  Thank you

  Questions, it's that when you check the validation of server Box, you must make sure you have the certification authority in the root Certification Authority trusted. For example, in windows, there is a list of servers CA where you check the server certificate validation and also one of the root certification authority is on the list. If the root CA is not listed, then you must add to the list and check it out.

  You are right on the client rejecting the sever cert... Authentication failed during SSL negotiation

  This doc will give you an overview:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml