cancel
Showing results for 
Search instead for 
Did you mean: 

Mac OS X and 802.1X authentication

Mac OS X and 802.1X authentication

Jeremy_Gibbs
Contributor
We have a few people that get an error saying "The identity of the authentication server could not be established" when trying to connect to an 802.1x network (Extreme IdentiFi running 9.21.003.0010) on 3825i. NAC reports this for the user:

TLS Alert read⚠️close notify TLS_accept: failed in SSLv3 read client certificate A error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure

Any ideas? It's not everyone, just a small subset of people.
5 REPLIES 5

Matthew_Hum1
Extreme Employee
I know it's "solved" but i wanted to give an explanation in the event someone else sees this. The error indicates that the Client did not accept the server certificate for some reason. it could be that the certificate expired, or that it failed verification. If this is not a public cert, and a self-signed or signed by an internal CA, and since it only affects some clients my money is on that the clients are trying to verify the cert and it is failing verification and therefore rejecting the certificate before any authentication can occur. I can only think of 3 ways to handle this: 1. disable certificate verification on the end system. this is not really recommended as you are opening that system up to MITM attacks, but can be done. this is really an issue if that end system connects to other outside networks. 2. put a certificate signed by a trusted CA on the authenticating server. 3. add the CA that signed the certificate as a trusted CA in the end system.

Jeremy_Gibbs
Contributor
Haven't heard from the client in a while, I think they are okay (just told them to use the non 802.1x network)

Drew_C
Valued Contributor III
Thanks Jeremy. I'm going to go ahead and mark this as "Solved."

Drew_C
Valued Contributor III
Hi Jeremy,
I'm going through some older threads here and wanted to ask if you still need assistance with this?
GTM-P2G8KFN