802.1X authentication issues

MSR
New Contributor II

Background: Trying to machine authenticate to new Aruba Network SSID

I've seen several discussions on here about 802.1X, but are there any logs that can help troubleshoot why 802.1X connections are failing? I've configured a profile according to https://www.jamf.com/jamf-nation/discussions/8282/802-1x-profiles-help#responseChild44231. It works and I'm getting a X509 certificate to a domain bound mac. However, I cannot for the life of me tweak the profile enough to get it to connect to Aruba wireless.

13 REPLIES 13

TreviñoL
Contributor

Make sure to include the Root CA and Intermediate certs in the profile and the make sure to check under the Trust tab that the certs are trusted.

MSR
New Contributor II

I've done that. No dice.

Aaron
Contributor II

You say domain bound Mac, so I'll assume an AD environment.

I've had to make sure that the "servicePrincipalName" attribute in AD for the machine object is set. It needs to be in the format:

host/{$FQDN_of_device} - ie; host/hostname.domain.org

If this attribute is missing, then it won't connect.

Cem
Valued Contributor

You will need to configure 3 payloads in a configuration profile (Network, Certificate, SCEP) - you can get the cert direct from the AD too.
Example below covers if SCEP to issue the computer certificate using EAP-TLS protocol and Macs are bound to Active Directory domain.

Make sure you have Root cert chain in System KeyChain.

I think you will need to configure the SCEP to respond dynamically to spinning password. Default setting is 5 attempt per hour for the same password if I remember it correctly….
You also need to expand the enquiry limitation and tell SCEP to use the specific template from the issuing server.

Once the device got the cert the RADIUS does the authentication part to
the network - it checks the AD object details then gives access.

I hope this helps a bit…

~~General
Distribution Method
Install Automatically

Level
Computer Level

NETWORK
fill the details appropriate to your requirements and select the SCEP part as you have used on this profile.

CERTIFICATE
upload all the chain

SCEP URL
http://scepserver.yourcompany.com/certsrv/mscep/mscep.dll/

Name
whatever name you want…

Subject
CN=$COMPUTERNAME.yourcompany.com

Subject Alternative Name Type
DNS Name

Subject Alternative Name Value
host/$COMPUTERNAME.yourcompany.com

Challenge Type
Dynamic-Microsoft CA

URL to SCEP Admin
http://scepserver.yourcompany.com/certsrv/mscep_admin/

Retries
0

Retry Delay
0 Seconds

Certificate Expiration Notification Threshold
14

Key Size
1024
(selected)Use as digital signature
(selected)Use for key encipherment

Fingerprint

#####

~~

Cem
Valued Contributor

on NETWORK payload make sure use the variable as below:

Username
Username for connection to the network
host/$COMPUTERNAME.yourcompany.com

Cem
Valued Contributor

MSR
New Contributor II

Sweet, thanks. Are there any logs that are helpful for mudding through this?

We're using an AD request setup. I've added your suggestions outside of SCEP and it's still failing.

csanback
New Contributor III

Are you hosing your PKI server on Windows 2012 R2? We had an issue where our WiFi Config Profile would not install, and we could not see any denies in the event log on the PKI server. We had to reach out to MS and they gave us a reg key (can't find it atm, can reach out to my sever team if needed) that allowed the security to be lowered. I guess the default security behavior in 2012 is to ignore all non-encrypted requests. The REG key just lowers it to not ignore them.

Check out this article as well. https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/

MSR
New Contributor II

We're actually get certificates just fine. I visited that article many times the past couple days. I finally spun up an older mac OS so I could get that eapoclient working. Finally getting an error!

1/30/18 2:41:15.685 PM eapolclient[1016]: [eaptls_plugin.c:290] eaptls_verify_server(): server certificate not trusted status 6 0

I'm assuming that I need to do something with the trust settings to allow the server certificate...?

csanback
New Contributor III

bcc2a2f855c14ce8aae9dc25a9aa5386
Here is a screen shot of my Network Payload trust settings

MSR
New Contributor II

Thanks for your help.

We figured out the issue. Apparently there was a chain of untrusted certs to the Aruba server. We had to add the chain of certs into the network payload and things just started working.

On another note, we used $COMPUTERNAME vs host/$COMPUTERNAME, but I don't understand why. I know the SPN in the active directory has host/$COMPUTERNAME.domain.com on the object's creation, yet $COMPUTERNAME worked. Do you know the difference between these values?

maziboss
New Contributor
Posted: 1/30/18 at 3:07 AM by Cem on NETWORK payload make sure use the variable as below: Username Username for connection to the network host/$COMPUTERNAME.yourcompany.com

@Cem Ok, I'm not using Jamf and want to deploy all necessary WiFi settings via CP. Is there the method to fill in the variable host/$COMPUTERNAME.yourcompany.com?

Cem
Valued Contributor

@maziboss I think host/%ComputerName%.yourcompany.com may work...
ref: help.apple.com/profilemanager/mac