cancel
Showing results for 
Search instead for 
Did you mean: 

Layer 2 Enforcement 802.1x

Highlighted
Occasional Contributor

Layer 2 Enforcement 802.1x

Hi all,

 

I have configure in MAG and WLC use Active Directory


when I authentication to SSID is failed

I have log like this :

 

2013-04-16 10:00:52 - ic - [0.0.0.0] mydomain\test()[] - Radius authentication rejected for mydomain\test (realm '') from location-group 'Default' and attributes are: NAS-IP-Address = 192.168.5.239,NAS-Port = 6664,NAS-Port-Type = 19   2013-04-16 10:00:52 - ic - [0.0.0.0] edii\test()[] - TLS handshake failed - client issued alert 'unknown intermediate certificate authority'

 

Could you share that for me?

 

Thanks

 

F

4 REPLIES 4
Highlighted
Super Contributor

Re: Layer 2 Enforcement 802.1x

Hi Feri, 

 

Please post your query to UAC forum using the below link :

 

http://forums.juniper.net/t5/Identity-and-Policy-Control/bd-p/UnifiedAccessControl

 

Regards,

Kannan

Highlighted
Super Contributor

Re: Layer 2 Enforcement 802.1x

Hi Feri,

 

From the error message it seems that the IC device has got the device CA which has  got generated through intermediate CA and root CA.

 

Missing intermediate or root ca on client machine cert store is causing this issue.

 

Kindly ensure to upload the the intermediate CA and root CA  in the Trusted intermediate CA and Trusted root CA  in the Cert store of the client machine. Once this is done. Test the authentciation  after doing the changes and update us the results.

 

Hope this fixes your issue.

 

Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!

 

Regards,
Kannan

Highlighted
Occasional Contributor

Re: Layer 2 Enforcement 802.1x

Hi ,

 

I'm sorry, this is wrong room Smiley Happy
I think because i'm use MAG so i post in here

 

and thanks for your question, so I must upload to PC for intermediate CA and root CA?

 

Colud you tell me about intermediate CA and root CA?

 

Thanks

 

Feri

Highlighted
Super Contributor

Re: Layer 2 Enforcement 802.1x

Hi Feri,

 

Thanks for the update.

 

I hope that you are using group based  Active DIrectory authentication for this using username/password options.

 

Yes you must upload the intermediate and root CA's in the PC's Cert store in  Truster server CA and intermediate CA store list.

 

There are two types of certificate authorities (CAs), root CAs and intermediate CAs. In order for a certificate to be trusted, and often for a secure connection to be established at all, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.

 

If the certificate was not issued by a trusted CA, the connecting device (e.g., a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).

To facilitate this process of verifying a "chain" of trust, every certificate includes the fields "Issued To" and "Issued By". An intermediate CA will show different information in these two fields, showing a connecting device where to continue checking, if necessary, in order to establish trust.


Root CA's, on the other hand, are "Issued To" and "Issued By" themselves, so no further checking is possible or necessary in order to establish trust (or lack thereof).

 

Hope this explanation clarifies you about Root and intermediate CA

In youe case please check the certificate chain path of the device CA by opening it, download these CA's and load it on PC cert store.

You can use AD group polices to push these CA's to many machines.


Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!

Regards,
Kannan