This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Ethernet Authentication window saying "Can't verify the server's identity"

Ethernet Authentication window saying "Can't verify the server's identity"

Go to solution
HoneyBadger72
New Contributor

‎10-02-2023 06:47 AM

We have recently setup 802.1x auth and are using EAP-TTLS auth method.  We seem to have it working with our Windows 10 clients at this stage of testing, but I keep getting this popup window titled Ethernet Authentication "Can't verify the server's identity".

HoneyBadger72_0-1696254137647.png

I think there is a step we missed when setting up our certificate infrastructure.  Do we need to register a certificate for each of our ExtremeControl RADIUS servers (we have 15 total) with our certificate authority (internal active directory domain controller).  I know just enough about certificates to be dangerous, but I "think" the client get this message because the server is not "registered" with our CA and therefore the client can't verify the RADIUS servers identity.  Just need some guidance on why this is happening and what would stop it.  Also, if someone has setup their windows environment to use 802.1x with ExtremeControl servers and EAL-TTLS, please let me know if there is some step-by-step guide out there to follow.  Thank you.

 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Ryan_Yacobucci
Extreme Employee

‎10-03-2023 08:47 AM

Hello, 

There are are a few considerations that you may be running into. As Robert indicated above you're using a certificate that cannot be validated and should be replaced with a more appropriate certificate. 

One consideration that you may be running into is that the client supplicant needs to be configured with server identity parameters in addition to certificate validation. 

Even if you have a commercially signed certificate installed in the RADIUS server, if an end system does not have supplicant configurations for server identity it will prompt a "Trust Anchor" or similar server identity message. 

Example seen for wireless: 
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000100189

Notifications before connectingSpecifies whether the user is notified if the server name or root certificate is not specified, or whether the server’s identity cannot be verified.
By default, the following options are provided:
  • Case 1: Do not ask user to authorize new servers or trusted CAs specifies that if:
    1. The server name is not in the Connect to these servers list
    2. or the root certificate is found but is not selected in the list of Trusted Root Certification Authorities in PEAP Properties
    3. or the root certificate is not found on the computer
then the user is not notified, and the connection attempt fails.
 
  • Case 2: Tell user if the server name or root certificate is not specified specifies that if:
    1. the server name is not in the Connect to these servers list
    2. or the root certificate is found but is not selected in the list of Trusted Root Certification Authorities in PEAP Properties
the user is prompted whether to accept the root certificate. If the user accepts the certificate, authentication proceeds. If the user rejects the certificate, the connection attempt fails.
 Note
In this option, if the root certificate is not present on the computer, the user is not notified and the connection attempts fails.
  • Case 3: Tell user if the server’s identity cannot be verified Specifies that if:
    1. the server name is not in the Connect to these servers list
    2. or the root certificate is found but is not selected in the list of Trusted Root Certification Authorities in PEAP Properties
    3. or the root certificate is not found on the computer
the user is prompted whether to accept the root certificate. If the user accepts the certificate, authentication proceeds. If the user rejects the certificate, the connection attempt fails.

To get rid of this message you'll need:

  • To install a certificate signed by a commercially trusted certificate authority, or private Certificate Authority on the RADIUS server.
  • GPO will need to install the RADIUS certificate's Issuer certificate in the end system's Trusted Certificate store, and configure the "Validate server Identity" field with the correct RADIUS server's FQDN.
  • The end system needs to have both certificate validation and server identity parameters to bypass any prompts to the user.

Thanks
-Ryan

View solution in original post

4 REPLIES 4

Go to solution
HoneyBadger72
New Contributor

‎10-04-2023 06:53 AM

Thank you for the replies.  I will work with my team to get these RADIUS servers setup with our internal CA in our windows domain.  I do have multiple RADIUS servers (one at each of 12 sites and 2 at the Data Centers for backups).  I will get all of them added to our CA since it will depend on which switch and location the user will use for RADIUS.  This is just for wired so far, I still have wireless 802.1x to setup and test.

Also, when it comes to the settings for our client supplicant setup, here is what I have been using.

How does this look?  It seems to work fine and our 802.1x rules are working so far.

HoneyBadger72_0-1696427425438.png

HoneyBadger72_1-1696427471900.png

 

 

0 Kudos

Go to solution
Ryan_Yacobucci
Extreme Employee
In response to HoneyBadger72

‎10-07-2023 04:01 PM

I would need to test it in the lab to be 100% but, I'm assuming that if that profile is manually created on the client you'll be OK. The problem with certificate validation/server identity trust is typically seen when Windows tries to setup the wireless profile on initial connection. 

0 Kudos

Go to solution
Ryan_Yacobucci
Extreme Employee

‎10-03-2023 08:47 AM

Hello, 

There are are a few considerations that you may be running into. As Robert indicated above you're using a certificate that cannot be validated and should be replaced with a more appropriate certificate. 

One consideration that you may be running into is that the client supplicant needs to be configured with server identity parameters in addition to certificate validation. 

Even if you have a commercially signed certificate installed in the RADIUS server, if an end system does not have supplicant configurations for server identity it will prompt a "Trust Anchor" or similar server identity message. 

Example seen for wireless: 
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000100189

Notifications before connectingSpecifies whether the user is notified if the server name or root certificate is not specified, or whether the server’s identity cannot be verified.
By default, the following options are provided:
  • Case 1: Do not ask user to authorize new servers or trusted CAs specifies that if:
    1. The server name is not in the Connect to these servers list
    2. or the root certificate is found but is not selected in the list of Trusted Root Certification Authorities in PEAP Properties
    3. or the root certificate is not found on the computer
then the user is not notified, and the connection attempt fails.
 
  • Case 2: Tell user if the server name or root certificate is not specified specifies that if:
    1. the server name is not in the Connect to these servers list
    2. or the root certificate is found but is not selected in the list of Trusted Root Certification Authorities in PEAP Properties
the user is prompted whether to accept the root certificate. If the user accepts the certificate, authentication proceeds. If the user rejects the certificate, the connection attempt fails.
 Note
In this option, if the root certificate is not present on the computer, the user is not notified and the connection attempts fails.
  • Case 3: Tell user if the server’s identity cannot be verified Specifies that if:
    1. the server name is not in the Connect to these servers list
    2. or the root certificate is found but is not selected in the list of Trusted Root Certification Authorities in PEAP Properties
    3. or the root certificate is not found on the computer
the user is prompted whether to accept the root certificate. If the user accepts the certificate, authentication proceeds. If the user rejects the certificate, the connection attempt fails.

To get rid of this message you'll need:

  • To install a certificate signed by a commercially trusted certificate authority, or private Certificate Authority on the RADIUS server.
  • GPO will need to install the RADIUS certificate's Issuer certificate in the end system's Trusted Certificate store, and configure the "Validate server Identity" field with the correct RADIUS server's FQDN.
  • The end system needs to have both certificate validation and server identity parameters to bypass any prompts to the user.

Thanks
-Ryan

Go to solution
Robert_Haynes
Extreme Employee

‎10-03-2023 05:22 AM

You appear to be using the default self-signed untrusted certificate that ships with Extreme Control. This certificate is not trusted by any device so the warning presented to clients to 'verify' if they wish to Connect or Disconnect is valid.

You need to replace the certificate with a trusted certificate chain signed by a trusted certificate authority or private CA if these devices are GPO/managed.

This link will walk you through the certificate CSR and signing process @ https://extreme-networks.my.site.com/ExtrArticleDetail?an=000078322.

 

GTM-P2G8KFN