Security

Hi all, we're trying to connect Avaya 3645 to a 802.1x network using EAP-PEAP, with ClearPass 6.6.8 as the Radius server. I can see the attempt in Access Tracker, but it is rejected with the following error: EAP-PEAP: fatal alert by client - unknown_ca TLS Handshake failed in SSL_read with error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca eap-tls: Error in establishing TLS session So obviously an issue with the Server certificate being trusted by the Avaya handset. I've exported the Radius server certificate from ClearPass, and verified that it contains the entire path - Server, Intermediate and Root certs are all contained. I have no problem importing / enrolling the cert in the Avaya handset software, but it still fails. Has anyone done this successfully?

Are you able to provide the full logs from within the Access Tracker entry? Does the device need to validate the Cert as I see this "unknown ca" in your logs previously provided.

Log file is attached.  There's no way in the Avaya handset config to disable certificate validation.  It is very rudimentary.

Attachment(s)

logfile.txt   17 KB 1 version

Try just installing the signing/intermediate CA.

We tried the root, the intermediate and the server cert, plus all 3 combined.  Still no go.