Wireless (General)

  • 1.  Mac OS X and 802.1X authentication

    Posted 10-09-2015 16:43
    We have a few people that get an error saying "The identity of the authentication server could not be established" when trying to connect to an 802.1x network (Extreme IdentiFi running 9.21.003.0010) on 3825i. NAC reports this for the user:

    TLS Alert read⚠️close notify TLS_accept: failed in SSLv3 read client certificate A error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure

    Any ideas? It's not everyone, just a small subset of people.


  • 2.  RE: Mac OS X and 802.1X authentication

    Posted 10-12-2015 00:01
    First thing to check is always the time on the client, it needs to be accurate or the cert will appear to be invalid.


  • 3.  RE: Mac OS X and 802.1X authentication

    Posted 12-02-2015 16:09
    Hi Jeremy,
    I'm going through some older threads here and wanted to ask if you still need assistance with this?


  • 4.  RE: Mac OS X and 802.1X authentication

    Posted 12-02-2015 17:33
    Haven't heard from the client in a while, I think they are okay (just told them to use the non 802.1x network)


  • 5.  RE: Mac OS X and 802.1X authentication

    Posted 12-02-2015 17:33
    Thanks Jeremy. I'm going to go ahead and mark this as "Solved."


  • 6.  RE: Mac OS X and 802.1X authentication

    Posted 12-03-2015 04:47
    I know it's "solved" but i wanted to give an explanation in the event someone else sees this. The error indicates that the Client did not accept the server certificate for some reason. it could be that the certificate expired, or that it failed verification. If this is not a public cert, and a self-signed or signed by an internal CA, and since it only affects some clients my money is on that the clients are trying to verify the cert and it is failing verification and therefore rejecting the certificate before any authentication can occur. I can only think of 3 ways to handle this: 1. disable certificate verification on the end system. this is not really recommended as you are opening that system up to MITM attacks, but can be done. this is really an issue if that end system connects to other outside networks. 2. put a certificate signed by a trusted CA on the authenticating server. 3. add the CA that signed the certificate as a trusted CA in the end system.