Skip to main content
Question

802.1x EAP-TLS wireless config

  • July 23, 2014
  • 14 replies
  • 69 views
A
Forum|alt.badge.img+8

Hello all. I'm trying to get a system-level 802.1x EAP-TLS wifi configuration working in 10.8. It works fine with our Windows 7 machines.

Mac's are

  • OS 10.8
  • AD bound
  • Have proper CA certificate trusts
  • Can request a machine cert via DRE/RPC

All of that is already done. and it connects beautifully when I connect as a user. Choose the SSID, then: Mode: EAP-TLS
Identity: machineID.domain.com
Username: host/machineID.domain.com

However, I've had a terrible time getting this to work using a configuration profile. The Machine always fails to Authenticate, leaving a NPS error code of 23 in the NPS logs. Since this works flawlessly on our Windows 7 machines, I feel the answer lies somewhere in the configuration profile.

Any hints on figuring this one out? My config profile is generated using 10.9/Server 3.1 and has a wifi profile that uses an identity certificate payload. After downloading I delete

<key>TTLSInnerAuthentication</key> <string>MSCHAPv2</string>

and

<key>OuterIdentity</key> <string/>

Also change loginwindow to

<key>SetupModes</key> <array> <string>System</string>

I don't have any certificate payload included. The NPS and CA are trusted already. I have tried adding the NPS, CA, Cert issuer in "Trusted server Certificate Names" as well.

Here's the full thing.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadIdentifier</key> <string>com.apple.mdm.mdm.domain.com.60427220-f415-0131-8fec-2820661a7b35.alacarte</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadScope</key> <string>User</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>60427220-f415-0131-8fec-2820661a7b35</string> <key>PayloadOrganization</key> <string>WeDesign</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadDisplayName</key> <string>WIFI</string> <key>PayloadDescription</key> <string>Request certificate via DRE/RPC and install 802.1x EAP-TLS wifi config.</string> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.ADCertificate.managed</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>com.apple.mdm.mdm.domain.com.80327220-f415-0131-8fec-2820661a7b35.alacarte.adcert.33b0562c-12f0-428c-a5ef-df2203a2200e</string> <key>PayloadUUID</key> <string>37b3562c-12f0-428c-a5ef-df2203a2200e</string> <key>PayloadEnabled</key> <true/> <key>PayloadDisplayName</key> <string>AD Certificate</string> <key>CertTemplate</key> <string>ComputerMacOS</string> <key>CertificateAcquisitionMechanism</key> <string>RPC</string> <key>PromptForCredentials</key> <false/> <key>Description</key> <string>Request ComputerMacOS Machine Certificate</string> <key>CertServer</key> <string>LAXCA01.domain.com</string> <key>CertificateAuthority</key> <string>LAXCA01</string> </dict> <dict> <key>PayloadType</key> <string>com.apple.wifi.managed</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>com.apple.mdm.mdm.domain.com.80327220-f415-0131-8fec-2820661a7b35.alacarte.interfaces.958ee100-f416-0131-8fee-2820461a7b35</string> <key>PayloadUUID</key> <string>958ee100-f416-0131-8fee-2820661a7b35</string> <key>PayloadEnabled</key> <true/> <key>PayloadDisplayName</key> <string>WiFi (CompanyCorp)</string> <key>HIDDEN_NETWORK</key> <false/> <key>AutoJoin</key> <true/> <key>ProxyType</key> <string>None</string> <key>EncryptionType</key> <string>WPA</string> <key>SetupModes</key> <array> <string>System</string> </array> <key>AuthenticationMethod</key> <string/> <key>Interface</key> <string>BuiltInWireless</string> <key>SSID_STR</key> <string>CompanyCorp</string> <key>EAPClientConfiguration</key> <dict> <key>TLSTrustedServerNames</key> <array> <string>LAXNPS01.domain.com</string> </array> <key>AcceptEAPTypes</key> <array> <integer>13</integer> </array> <key>EAPFASTProvisionPACAnonymously</key> <false/> <key>EAPFASTProvisionPAC</key> <false/> <key>EAPFASTUsePAC</key> <false/> <key>UserName</key> <string>host/%HostName%</string> <key>TLSCertificateIsRequired</key> <true/> </dict> <key>PayloadCertificateUUID</key> <string>3750562c-12f0-428c-a5ef-df2203a2200e</string> </dict> </array> </dict> </plist>

    14 replies

    A
    Forum|alt.badge.img+17
    • alexjdale
    • Contributor
    • 881 replies
    • July 23, 2014

    Is it requesting the cert properly? You should see the cert and associated private key on the System keychain after installing the profile.

    I actually do my CSR manually in a script and encode the cert into a Profile that gets installed. Our trust is all handled by pre-installed root/CA certs on the keychain too, I don't include them in the profile and it works fine, so that shouldn't be the issue.

    J
    Forum|alt.badge.img+13
    • JPDyson
    • Valued Contributor
    • 478 replies
    • July 23, 2014

    I wonder if you're breaking the plist with your modifications; why not just start out creating a system level profile rather than user level?

    A
    Forum|alt.badge.img+8
    • adroitboy
    • Author
    • Contributor
    • 38 replies
    • July 23, 2014

    Yes, I get a proper machine cert. It shows as trusted.

    @JPDyson, I can't seem to create a machine level profile. It always specifies "loginwindow"

    A
    Forum|alt.badge.img+8
    • adroitboy
    • Author
    • Contributor
    • 38 replies
    • July 23, 2014

    EDIT: unfortunately I forgot to clear out my previous manual config. Still not fixed.

    A
    Forum|alt.badge.img+8
    • adroitboy
    • Author
    • Contributor
    • 38 replies
    • July 23, 2014

    Hmmm…spoke too soon. I didn't clear out my manual config and got quickly excited when it worked.

    Why would I see <key>TTLSInnerAuthentication</key><string>MSCHAPv2</string>

    I only check TLS under Accepted EAP types payload.

    P
    Forum|alt.badge.img+12
    • pat_best
    • Contributor
    • 150 replies
    • July 23, 2014

    Are you wanting user credentials to pass through at login for wireless authentication, machine authentication to wireless then user authentication after login, or machine only authentication?

    edit: system profiles can be created but it requires manually editing a downloaded config profile. The click option for system profile is not there.

    edit 2: here is a link describing both a login window configuration profile and a system profile via editing the .mobileconfig file:

    https://jamfnation.jamfsoftware.com/discussion.html?id=4046

    A
    Forum|alt.badge.img+8
    • adroitboy
    • Author
    • Contributor
    • 38 replies
    • July 23, 2014

    I want EAP-TLS machine only. No PEAP.

    If doing a manual connection (after removing the config profiles and having proper machine cert) I get user keychain items of

    Name: Company Corp Kind: 802.1x password Account: host/3355-mp.doman.com Where: com.apple.network.eap.user.item.wlan.ssid.Company Corp AND an Identity preference of: Name: com.apple.network.eap.user.identity.wlan.ssid.Company Corp Where: com.apple.network.eap.user.identity.wlan.ssid.Company Corp Preferred Certificate: 3355-mp.doman.com (the correct machine cert)

    When installing via a config profile I get SYSTEM keychain items:

    Name: Company Corp Kind: 802.1X Password Account: host/3355-mp.doman.com Where: com.apple.network.eap.system.item.wlan.ssid.Company Corp And identity preference of: Name: com.apple.network.eap.system.identity.wlan.ssid.Company Corp Where: com.apple.network.eap.system.identity.wlan.ssid.Company Corp Preferred Certificate: 3355-mp.doman.com (the correct machine cert)

    It all seems close. Obviously via a profile does not work though.

    P
    Forum|alt.badge.img+12
    • pat_best
    • Contributor
    • 150 replies
    • July 23, 2014

    sorry about that, I read right past the not PEAP part .... oops!

    J
    Forum|alt.badge.img+13
    • JPDyson
    • Valued Contributor
    • 478 replies
    • July 24, 2014
    system profiles can be created but it requires manually editing a downloaded config profile. The click option for system profile is not there

    Pardon? What tool are you talking about that supposedly has this limitation? I've created System Level with Casper 8, 9, and with Profile Manager.

    A
    Forum|alt.badge.img+8
    • adroitboy
    • Author
    • Contributor
    • 38 replies
    • July 24, 2014

    I'm actually profile manager in 10.9 server. JSS is 8.73 and lags behind I. A fee of the config profiles...

    J
    Forum|alt.badge.img+13
    • JPDyson
    • Valued Contributor
    • 478 replies
    • July 24, 2014

    Select a Computer Group when creating the Config Profile; you'll get System Level.

    A
    Forum|alt.badge.img+8
    • adroitboy
    • Author
    • Contributor
    • 38 replies
    • July 25, 2014

    Is it a requirement to have a signed mobileconfig in order for it to work for EAP-TLS?

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • 4331 replies
    • July 26, 2014

    Not sure if either of these help:

    http://macmule.com/2014/05/19/error-10-8-clients-not-connecting-to-eap-tls-wireless-with-w2k8-nps/

    http://macmule.com/2012/05/16/authenticating-10-7-macs-to-a-radius-server-with-certificate-enabled-peap-authentication-12/

    A
    Forum|alt.badge.img+8
    • adroitboy
    • Author
    • Contributor
    • 38 replies
    • July 29, 2014

    I was able to get it working using the JSS generated configuration profile. I haven't dug though it thoroughly, but it seems the wifi payload generated in MacOS Server Profile Manager was not quite right (or I was doing it wrong). I'd tried editing it and still couldn't get it to work.

    I did all of the same things in the JSS and it worked perfectly.

    For those interested, I didn't have to specify any certificates, trusted servers, etc. The trusted root was already there. All I needed to do was request the machine cert using the "AD Certificate" payload, making sure to use a template generated for MacOS which uses the UPN ([MachineID]$@domain.com) in the Subject Alternative name of the machine cert. It's worth noting that the PC's send host/[machineID].domain.com as the username, whereas the 10.8 and 10.9 machines send the UPN stored in the machine cert. Before using a different cert template, Mac would send the FQDN stored in the template, which the NPS server rejected.

    The only gotcha moving from 802.1x PEAP to 802.1x EAP-TLS was the machine would use info in the keychain and connect to the user-based PEAP connection. Rather than instructing all users to delete that, I ran this as part of the postinstall script.

    # Delete references to MY SSID in login keychains
for USER_HOME in /Users/*
  do
    USER_UID=`basename "${USER_HOME}"`
    if [ ! "${USER_UID}" = "Shared" ] 
     then 
      if [ ! -d "${USER_HOME}"/Library/Keychains ]
       then
        echo "do nothing"
      fi
      if [ -e "${USER_HOME}"/Library/Keychains/login.keychain ]
       then
        security delete-generic-password -l "MY SSID" "${USER_HOME}"/Library/Keychains/login.keychain
      fi
    fi
  done


    Terms & ConditionsCookie settingsAccessibility statement