Skip to main content

Hello all. I'm trying to get a system-level 802.1x EAP-TLS wifi configuration working in 10.8. It works fine with our Windows 7 machines.



Mac's are




  • OS 10.8

  • AD bound

  • Have proper CA certificate trusts

  • Can request a machine cert via DRE/RPC



All of that is already done. and it connects beautifully when I connect as a user. Choose the SSID, then:
Mode: EAP-TLS
Identity: machineID.domain.com
Username: host/machineID.domain.com



However, I've had a terrible time getting this to work using a configuration profile. The Machine always fails to Authenticate, leaving a NPS error code of 23 in the NPS logs. Since this works flawlessly on our Windows 7 machines, I feel the answer lies somewhere in the configuration profile.



Any hints on figuring this one out? My config profile is generated using 10.9/Server 3.1 and has a wifi profile that uses an identity certificate payload. After downloading I delete



<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>


and

<key>OuterIdentity</key>
<string/>



Also change loginwindow to



<key>SetupModes</key>
<array>
<string>System</string>


I don't have any certificate payload included. The NPS and CA are trusted already. I have tried adding the NPS, CA, Cert issuer in "Trusted server Certificate Names" as well.



Here's the full thing.



<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadIdentifier</key>
<string>com.apple.mdm.mdm.domain.com.60427220-f415-0131-8fec-2820661a7b35.alacarte</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>User</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>60427220-f415-0131-8fec-2820661a7b35</string>
<key>PayloadOrganization</key>
<string>WeDesign</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadDisplayName</key>
<string>WIFI</string>
<key>PayloadDescription</key>
<string>Request certificate via DRE/RPC and install 802.1x EAP-TLS wifi config.</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.ADCertificate.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.apple.mdm.mdm.domain.com.80327220-f415-0131-8fec-2820661a7b35.alacarte.adcert.33b0562c-12f0-428c-a5ef-df2203a2200e</string>
<key>PayloadUUID</key>
<string>37b3562c-12f0-428c-a5ef-df2203a2200e</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadDisplayName</key>
<string>AD Certificate</string>
<key>CertTemplate</key>
<string>ComputerMacOS</string>
<key>CertificateAcquisitionMechanism</key>
<string>RPC</string>
<key>PromptForCredentials</key>
<false/>
<key>Description</key>
<string>Request ComputerMacOS Machine Certificate</string>
<key>CertServer</key>
<string>LAXCA01.domain.com</string>
<key>CertificateAuthority</key>
<string>LAXCA01</string>
</dict>
<dict>
<key>PayloadType</key>
<string>com.apple.wifi.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.apple.mdm.mdm.domain.com.80327220-f415-0131-8fec-2820661a7b35.alacarte.interfaces.958ee100-f416-0131-8fee-2820461a7b35</string>
<key>PayloadUUID</key>
<string>958ee100-f416-0131-8fee-2820661a7b35</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadDisplayName</key>
<string>WiFi (CompanyCorp)</string>
<key>HIDDEN_NETWORK</key>
<false/>
<key>AutoJoin</key>
<true/>
<key>ProxyType</key>
<string>None</string>
<key>EncryptionType</key>
<string>WPA</string>
<key>SetupModes</key>
<array>
<string>System</string>
</array>
<key>AuthenticationMethod</key>
<string/>
<key>Interface</key>
<string>BuiltInWireless</string>
<key>SSID_STR</key>
<string>CompanyCorp</string>
<key>EAPClientConfiguration</key>
<dict>
<key>TLSTrustedServerNames</key>
<array>
<string>LAXNPS01.domain.com</string>
</array>
<key>AcceptEAPTypes</key>
<array>
<integer>13</integer>
</array>
<key>EAPFASTProvisionPACAnonymously</key>
<false/>
<key>EAPFASTProvisionPAC</key>
<false/>
<key>EAPFASTUsePAC</key>
<false/>
<key>UserName</key>
<string>host/%HostName%</string>
<key>TLSCertificateIsRequired</key>
<true/>
</dict>
<key>PayloadCertificateUUID</key>
<string>3750562c-12f0-428c-a5ef-df2203a2200e</string>
</dict>
</array>
</dict>
</plist>

Is it requesting the cert properly? You should see the cert and associated private key on the System keychain after installing the profile.



I actually do my CSR manually in a script and encode the cert into a Profile that gets installed. Our trust is all handled by pre-installed root/CA certs on the keychain too, I don't include them in the profile and it works fine, so that shouldn't be the issue.

I wonder if you're breaking the plist with your modifications; why not just start out creating a system level profile rather than user level?

Yes, I get a proper machine cert. It shows as trusted.



@JPDyson, I can't seem to create a machine level profile. It always specifies "loginwindow"

EDIT: unfortunately I forgot to clear out my previous manual config. Still not fixed.

Hmmm…spoke too soon. I didn't clear out my manual config and got quickly excited when it worked.



Why would I see
<key>TTLSInnerAuthentication</key><string>MSCHAPv2</string>



I only check TLS under Accepted EAP types payload.

Are you wanting user credentials to pass through at login for wireless authentication, machine authentication to wireless then user authentication after login, or machine only authentication?



edit: system profiles can be created but it requires manually editing a downloaded config profile. The click option for system profile is not there.



edit 2: here is a link describing both a login window configuration profile and a system profile via editing the .mobileconfig file:



https://jamfnation.jamfsoftware.com/discussion.html?id=4046

I want EAP-TLS machine only. No PEAP.



If doing a manual connection (after removing the config profiles and having proper machine cert) I get user keychain items of



Name: Company Corp
Kind: 802.1x password
Account: host/3355-mp.doman.com
Where: com.apple.network.eap.user.item.wlan.ssid.Company Corp

AND an Identity preference of:
Name: com.apple.network.eap.user.identity.wlan.ssid.Company Corp
Where: com.apple.network.eap.user.identity.wlan.ssid.Company Corp
Preferred Certificate: 3355-mp.doman.com (the correct machine cert)


When installing via a config profile I get SYSTEM keychain items:



Name: Company Corp
Kind: 802.1X Password
Account: host/3355-mp.doman.com
Where: com.apple.network.eap.system.item.wlan.ssid.Company Corp

And identity preference of:
Name: com.apple.network.eap.system.identity.wlan.ssid.Company Corp
Where: com.apple.network.eap.system.identity.wlan.ssid.Company Corp
Preferred Certificate: 3355-mp.doman.com (the correct machine cert)


It all seems close. Obviously via a profile does not work though.

sorry about that, I read right past the not PEAP part .... oops!

system profiles can be created but it requires manually editing a downloaded config profile. The click option for system profile is not there


Pardon? What tool are you talking about that supposedly has this limitation? I've created System Level with Casper 8, 9, and with Profile Manager.

I'm actually profile manager in 10.9 server. JSS is 8.73 and lags behind I. A fee of the config profiles...

Select a Computer Group when creating the Config Profile; you'll get System Level.

Is it a requirement to have a signed mobileconfig in order for it to work for EAP-TLS?

Not sure if either of these help:



http://macmule.com/2014/05/19/error-10-8-clients-not-connecting-to-eap-tls-wireless-with-w2k8-nps/



http://macmule.com/2012/05/16/authenticating-10-7-macs-to-a-radius-server-with-certificate-enabled-peap-authentication-12/

I was able to get it working using the JSS generated configuration profile. I haven't dug though it thoroughly, but it seems the wifi payload generated in MacOS Server Profile Manager was not quite right (or I was doing it wrong). I'd tried editing it and still couldn't get it to work.



I did all of the same things in the JSS and it worked perfectly.



For those interested, I didn't have to specify any certificates, trusted servers, etc. The trusted root was already there. All I needed to do was request the machine cert using the "AD Certificate" payload, making sure to use a template generated for MacOS which uses the UPN ([MachineID]$@domain.com) in the Subject Alternative name of the machine cert. It's worth noting that the PC's send host/[machineID].domain.com as the username, whereas the 10.8 and 10.9 machines send the UPN stored in the machine cert. Before using a different cert template, Mac would send the FQDN stored in the template, which the NPS server rejected.



The only gotcha moving from 802.1x PEAP to 802.1x EAP-TLS was the machine would use info in the keychain and connect to the user-based PEAP connection. Rather than instructing all users to delete that, I ran this as part of the postinstall script.



# Delete references to MY SSID in login keychains

for USER_HOME in /Users/*

  do

    USER_UID=`basename "${USER_HOME}"`

    if [ ! "${USER_UID}" = "Shared" ] 

     then 

      if [ ! -d "${USER_HOME}"/Library/Keychains ]

       then

        echo "do nothing"

      fi

      if [ -e "${USER_HOME}"/Library/Keychains/login.keychain ]

       then

        security delete-generic-password -l "MY SSID" "${USER_HOME}"/Library/Keychains/login.keychain

      fi

    fi

  done

Reply


Terms & ConditionsCookie settings