topic RE: PEAP failed SSL/TLS handshake because the client rejected the radius server certificate in ExtremeWireless (WiNG) https://community.extremenetworks.com/t5/extremewireless-wing/peap-failed-ssl-tls-handshake-because-the-client-rejected-the/m-p/57690#M4259 Tx Andrew.<BR /> <BR /> It is the accesspoint itself being a radiusclient in our setup . We are configuring 802.1x on the wired network. Also AP's themselves need to be authenticated. Therefore we have configured AP's Ge1 interface as dot1xsupplicant (username/pass). I installed CA certificate chain on AP as trustpoint. <BR /> <BR /> Sun, 15 Oct 2017 19:47:00 GMT Jan_van_de_Bor 2017-10-15T19:47:00Z PEAP failed SSL/TLS handshake because the client rejected the radius server certificate https://community.extremenetworks.com/t5/extremewireless-wing/peap-failed-ssl-tls-handshake-because-the-client-rejected-the/m-p/57688#M4257 Extreme ap6532 (wing 5.8) Ge1 interface configured as dot1xsupplicant (client) for wired 802.1x authentication of AccessPoint connected to cisco 2960x switch (15.2(4)E5) configured with cisco ISE 2.3 as radiusserver. During authentication of AP a radius server message "PEAP failed SSL/TLS handshake because the client rejected the radius server certificate.<BR /> <BR /> Configured CA certificate chain (same as on radius server, as trustpoint on AP, but still problem exists.<BR /> <BR /> Somebody experience with Extreme AP Wing 5.x configured as dot1xsupplicant ?<BR /> <BR /> Please help. Thanks.<BR /> <BR /> Sun, 15 Oct 2017 19:25:00 GMT https://community.extremenetworks.com/t5/extremewireless-wing/peap-failed-ssl-tls-handshake-because-the-client-rejected-the/m-p/57688#M4257 Jan_van_de_Bor 2017-10-15T19:25:00Z RE: PEAP failed SSL/TLS handshake because the client rejected the radius server certificate https://community.extremenetworks.com/t5/extremewireless-wing/peap-failed-ssl-tls-handshake-because-the-client-rejected-the/m-p/57689#M4258 The client MUST trust the CA certificate that issued the Radius server's certificate. Make sure that it is in the client's Trusted root CA list. Sun, 15 Oct 2017 19:31:00 GMT https://community.extremenetworks.com/t5/extremewireless-wing/peap-failed-ssl-tls-handshake-because-the-client-rejected-the/m-p/57689#M4258 Andrew_Webster 2017-10-15T19:31:00Z RE: PEAP failed SSL/TLS handshake because the client rejected the radius server certificate https://community.extremenetworks.com/t5/extremewireless-wing/peap-failed-ssl-tls-handshake-because-the-client-rejected-the/m-p/57690#M4259 Tx Andrew.<BR /> <BR /> It is the accesspoint itself being a radiusclient in our setup . We are configuring 802.1x on the wired network. Also AP's themselves need to be authenticated. Therefore we have configured AP's Ge1 interface as dot1xsupplicant (username/pass). I installed CA certificate chain on AP as trustpoint. <BR /> <BR /> Sun, 15 Oct 2017 19:47:00 GMT https://community.extremenetworks.com/t5/extremewireless-wing/peap-failed-ssl-tls-handshake-because-the-client-rejected-the/m-p/57690#M4259 Jan_van_de_Bor 2017-10-15T19:47:00Z RE: PEAP failed SSL/TLS handshake because the client rejected the radius server certificate https://community.extremenetworks.com/t5/extremewireless-wing/peap-failed-ssl-tls-handshake-because-the-client-rejected-the/m-p/57691#M4260 Can you copy the port config you have done? Mon, 16 Oct 2017 11:56:00 GMT https://community.extremenetworks.com/t5/extremewireless-wing/peap-failed-ssl-tls-handshake-because-the-client-rejected-the/m-p/57691#M4260 Timo1 2017-10-16T11:56:00Z RE: PEAP failed SSL/TLS handshake because the client rejected the radius server certificate https://community.extremenetworks.com/t5/extremewireless-wing/peap-failed-ssl-tls-handshake-because-the-client-rejected-the/m-p/57692#M4261 Accesspoint AP6532 (AP6532 version 5.8.6.0-011R)<BR /> <BR /> profile ap6532 default-ap6532<BR /> .....<BR /> ....<BR /> interface ge1<BR /> dot1x supplicant username zebra-ap password *xyz*<BR /> <BR /> tx Timo.<BR /> <BR /> Mon, 16 Oct 2017 12:40:00 GMT https://community.extremenetworks.com/t5/extremewireless-wing/peap-failed-ssl-tls-handshake-because-the-client-rejected-the/m-p/57692#M4261 Jan_van_de_Bor 2017-10-16T12:40:00Z RE: PEAP failed SSL/TLS handshake because the client rejected the radius server certificate https://community.extremenetworks.com/t5/extremewireless-wing/peap-failed-ssl-tls-handshake-because-the-client-rejected-the/m-p/57693#M4262 Problem solved. It seemed ISE was forcing EAP/TLS where AP was expecting EAP/MD5. Therefore responding "Bad certificate (42)"<BR /> <BR /> Also in radius log found: sslv3 alert bad certificate:s3_pkt.c:1493:SSL alert number 42<BR /> <BR /> This error message tells: the server demands you authenticate with a certificate, and you did not do so.<BR /> <BR /> Changed authentication rule on ISE to allow/ask EAP/MD5, now AP configured as dot1xsupplicant authentication successfull !<BR /> <BR /> Mon, 16 Oct 2017 17:58:00 GMT https://community.extremenetworks.com/t5/extremewireless-wing/peap-failed-ssl-tls-handshake-because-the-client-rejected-the/m-p/57693#M4262 Jan_van_de_Bor 2017-10-16T17:58:00Z