Reset Search
 

 

Article

802.1x User PEAP User Rejected in NAC

« Go Back

Information

 
Title802.1x User PEAP User Rejected in NAC
Symptoms
  • 802.1x Reject seen in State column in NAC Manager
  • NAC Manager Events display:  
Client Certificate Error(s): 1) Unknown Certificate Authority: A valid certificate chain or
partial chain was received, but the certificate was not accepted because the CA certificate 
could not be located or couldn`t be matched with a known, trusted CA.

 
Environment
  • All NAC platforms
  • Identifi Wireless
  • All switch Firmware versions

 
Cause
Caused when the Validate Server Certificate option is checked on the client and the CA cert is not resident in the client's certificate trust store.
Resolution
  1. Un-check the option "Validate Server Certificate" on the client.
  2. Configure the NAC's RADIUS certificate with a certificate signed by a commercial CA (such as GoDaddy, VeriSign, DigiCert, etc).
  3. Configure the NAC's RADIUS certificate with a self-signed CA and distribute the CA's certificate to the client / End System's local certificate trust store.

 
Additional notes
By default, NAC deploys with a self-signed Certificate from an internal Certificate Authority (CA) for its RADIUS Server Certificate.  Replacement of this Certificate by some external CA, and use of that external CA's Root Certificate in the client's Certificate trust store, is the most common practice.  However, the Root Certificate of the NAC internal CA can be downloaded from the NAC by any SCP Client.  The Root Certificate of the NAC internal CA is contained with in the /opt/nac/radius/raddb/certs/selfsigned_ca.pem file. 

Further, the same above error can occur, if the FQDN of the NAC, including domain is not included in the certificate. So it should read for example nacx.extreme.com not just extreme.com. For more on proper setup of this, see How To Generate A Certificate Signing Request (CSR) On A NAC Appliance

The importation of the above Root Certificate is dependent upon the operating system of the client, and therefore must be left up to the on-site Systems Administrator. 

 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255