A customer coplains about users authentication error by 802.1x with certificate with the following error in ISE live logs:
OpenSSLErrorMessage SSL alert: code=0x22E=558 ; source=local ; type=fatal ; message=”certificate unknown.ssl/statem/statem_srvr.c:3800 error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed [error=337100934 lib=20 func=380 reason=134]”
There is not much documentation about this error out there, this free radius mail thread points to certificate EKU as the problem. Since machine authentication by certificate was working properly on the customer, after do a certificate comparation and after some tests with the EKU properties, we solve the problem just removing the critical propertie from the EKU key.
Once configured as non critical the EKU propertie, the authentication for users by certifacate works properly, this behavior were found in IPHONES phone and AVAYA softphone, and probably to other devices and software which use OPENSSL libraries fore certificate validation.