Mac OS X and 802.1X authentication

  • 1
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
We have a few people that get an error saying "The identity of the authentication server could not be established" when trying to connect to an 802.1x network (Extreme IdentiFi running on 3825i.  NAC reports this for the user:

TLS Alert read:warning:close notify TLS_accept: failed in SSLv3 read client certificate A error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure

Any ideas?  It's not everyone, just a small subset of people.
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb

Posted 2 years ago

  • 1
  • 1
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
Official Response
I know it's "solved" but i wanted to give an explanation in the event someone else sees this.

The error indicates that the Client did not accept the server certificate for some reason. it could be that the certificate expired, or that it failed verification. If this is not a public cert, and a self-signed or signed by an internal CA, and since it only affects some clients my money is on that the clients are trying to verify the cert and it is failing verification and therefore rejecting the certificate before any authentication can occur.
I can only think of 3 ways to handle this:
1. disable certificate verification on the end system. this is not really recommended as you are opening that system up to MITM attacks, but can be done. this is really an issue if that end system connects to other outside networks.
2. put a certificate signed by a trusted CA on the authenticating server.
3. add the CA that signed the certificate as a trusted CA in the end system.