Why is EAO-TLS or PEAP authentication failing during ssl handshake?
Symptoms Failed logon error: EAP-TLS or PEAP authentication failed during SSL handshake
This failure occurs when: •The server validation is not configured correctly on the client. •The machine certificate is not provisioned on the machine (when used with EAP-TLS). •Unable to provide a user certificate for authentication. •The AAA server certificate has expired. •The Root CA certificate is not installed or is not installed correctly on the client. •The same CA certificate is used for intermediate CA or Root CA certificate: Root CA duplication.
If the Certification Authority (CA) or CISCO ACS (ACS) certificates have expired or are missing, distribute, renew, or update the certificates to the clients trusted root certificate store. Check if Network Time Protocol (NTP) is enabled on the client and ACS. Install the appropriate CA certificate on your system as Authenticated in-band PAC Provisioning requires a valid Trusted Root CA certificate.
We do not recommend self-signed certificates. Use a CA instead.