Header Only - DO NOT REMOVE - Extreme Networks

Mac OS X and 802.1X authentication


We have a few people that get an error saying "The identity of the authentication server could not be established" when trying to connect to an 802.1x network (Extreme IdentiFi running 9.21.003.0010) on 3825i. NAC reports this for the user:

TLS Alert read⚠close notify TLS_accept: failed in SSLv3 read client certificate A error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure

Any ideas? It's not everyone, just a small subset of people.

5 replies

First thing to check is always the time on the client, it needs to be accurate or the cert will appear to be invalid.
Userlevel 7
Hi Jeremy,
I'm going through some older threads here and wanted to ask if you still need assistance with this?
Haven't heard from the client in a while, I think they are okay (just told them to use the non 802.1x network)
Userlevel 7
Jeremy Gibbs wrote:

Haven't heard from the client in a while, I think they are okay (just told them to use the non 802.1x network)

Thanks Jeremy. I'm going to go ahead and mark this as "Solved."
Userlevel 3
I know it's "solved" but i wanted to give an explanation in the event someone else sees this. The error indicates that the Client did not accept the server certificate for some reason. it could be that the certificate expired, or that it failed verification. If this is not a public cert, and a self-signed or signed by an internal CA, and since it only affects some clients my money is on that the clients are trying to verify the cert and it is failing verification and therefore rejecting the certificate before any authentication can occur. I can only think of 3 ways to handle this: 1. disable certificate verification on the end system. this is not really recommended as you are opening that system up to MITM attacks, but can be done. this is really an issue if that end system connects to other outside networks. 2. put a certificate signed by a trusted CA on the authenticating server. 3. add the CA that signed the certificate as a trusted CA in the end system.

Reply