Jamf Nation Community

adroitboy · ‎07-23-2014

Hello all. I'm trying to get a system-level 802.1x EAP-TLS wifi configuration working in 10.8. It works fine with our Windows 7 machines.

Mac's are

OS 10.8
AD bound
Have proper CA certificate trusts
Can request a machine cert via DRE/RPC

All of that is already done. and it connects beautifully when I connect as a user. Choose the SSID, then: Mode: EAP-TLS
Identity: machineID.domain.com
Username: host/machineID.domain.com

However, I've had a terrible time getting this to work using a configuration profile. The Machine always fails to Authenticate, leaving a NPS error code of 23 in the NPS logs. Since this works flawlessly on our Windows 7 machines, I feel the answer lies somewhere in the configuration profile.

Any hints on figuring this one out? My config profile is generated using 10.9/Server 3.1 and has a wifi profile that uses an identity certificate payload. After downloading I delete

<key>TTLSInnerAuthentication</key> <string>MSCHAPv2</string>

and

<key>OuterIdentity</key> <string/>

Also change loginwindow to

<key>SetupModes</key> <array> <string>System</string>

I don't have any certificate payload included. The NPS and CA are trusted already. I have tried adding the NPS, CA, Cert issuer in "Trusted server Certificate Names" as well.

Here's the full thing.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadIdentifier</key> <string>com.apple.mdm.mdm.domain.com.60427220-f415-0131-8fec-2820661a7b35.alacarte</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadScope</key> <string>User</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>60427220-f415-0131-8fec-2820661a7b35</string> <key>PayloadOrganization</key> <string>WeDesign</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadDisplayName</key> <string>WIFI</string> <key>PayloadDescription</key> <string>Request certificate via DRE/RPC and install 802.1x EAP-TLS wifi config.</string> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.ADCertificate.managed</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>com.apple.mdm.mdm.domain.com.80327220-f415-0131-8fec-2820661a7b35.alacarte.adcert.33b0562c-12f0-428c-a5ef-df2203a2200e</string> <key>PayloadUUID</key> <string>37b3562c-12f0-428c-a5ef-df2203a2200e</string> <key>PayloadEnabled</key> <true/> <key>PayloadDisplayName</key> <string>AD Certificate</string> <key>CertTemplate</key> <string>ComputerMacOS</string> <key>CertificateAcquisitionMechanism</key> <string>RPC</string> <key>PromptForCredentials</key> <false/> <key>Description</key> <string>Request ComputerMacOS Machine Certificate</string> <key>CertServer</key> <string>LAXCA01.domain.com</string> <key>CertificateAuthority</key> <string>LAXCA01</string> </dict> <dict> <key>PayloadType</key> <string>com.apple.wifi.managed</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>com.apple.mdm.mdm.domain.com.80327220-f415-0131-8fec-2820661a7b35.alacarte.interfaces.958ee100-f416-0131-8fee-2820461a7b35</string> <key>PayloadUUID</key> <string>958ee100-f416-0131-8fee-2820661a7b35</string> <key>PayloadEnabled</key> <true/> <key>PayloadDisplayName</key> <string>WiFi (CompanyCorp)</string> <key>HIDDEN_NETWORK</key> <false/> <key>AutoJoin</key> <true/> <key>ProxyType</key> <string>None</string> <key>EncryptionType</key> <string>WPA</string> <key>SetupModes</key> <array> <string>System</string> </array> <key>AuthenticationMethod</key> <string/> <key>Interface</key> <string>BuiltInWireless</string> <key>SSID_STR</key> <string>CompanyCorp</string> <key>EAPClientConfiguration</key> <dict> <key>TLSTrustedServerNames</key> <array> <string>LAXNPS01.domain.com</string> </array> <key>AcceptEAPTypes</key> <array> <integer>13</integer> </array> <key>EAPFASTProvisionPACAnonymously</key> <false/> <key>EAPFASTProvisionPAC</key> <false/> <key>EAPFASTUsePAC</key> <false/> <key>UserName</key> <string>host/%HostName%</string> <key>TLSCertificateIsRequired</key> <true/> </dict> <key>PayloadCertificateUUID</key> <string>3750562c-12f0-428c-a5ef-df2203a2200e</string> </dict> </array> </dict> </plist>

alexjdale · ‎07-23-2014

Is it requesting the cert properly? You should see the cert and associated private key on the System keychain after installing the profile.

I actually do my CSR manually in a script and encode the cert into a Profile that gets installed. Our trust is all handled by pre-installed root/CA certs on the keychain too, I don't include them in the profile and it works fine, so that shouldn't be the issue.

JPDyson · ‎07-23-2014

I wonder if you're breaking the plist with your modifications; why not just start out creating a system level profile rather than user level?

adroitboy · ‎07-23-2014

Yes, I get a proper machine cert. It shows as trusted.

@JPDyson, I can't seem to create a machine level profile. It always specifies "loginwindow"

adroitboy · ‎07-23-2014

EDIT: unfortunately I forgot to clear out my previous manual config. Still not fixed.

adroitboy · ‎07-23-2014

Hmmm…spoke too soon. I didn't clear out my manual config and got quickly excited when it worked.

Why would I see <key>TTLSInnerAuthentication</key><string>MSCHAPv2</string>

I only check TLS under Accepted EAP types payload.

pat_best · ‎07-23-2014

Are you wanting user credentials to pass through at login for wireless authentication, machine authentication to wireless then user authentication after login, or machine only authentication?

edit: system profiles can be created but it requires manually editing a downloaded config profile. The click option for system profile is not there.

edit 2: here is a link describing both a login window configuration profile and a system profile via editing the .mobileconfig file:

https://jamfnation.jamfsoftware.com/discussion.html?id=4046

adroitboy · ‎07-23-2014

I want EAP-TLS machine only. No PEAP.

If doing a manual connection (after removing the config profiles and having proper machine cert) I get user keychain items of

Name: Company Corp Kind: 802.1x password Account: host/3355-mp.doman.com Where: com.apple.network.eap.user.item.wlan.ssid.Company Corp AND an Identity preference of: Name: com.apple.network.eap.user.identity.wlan.ssid.Company Corp Where: com.apple.network.eap.user.identity.wlan.ssid.Company Corp Preferred Certificate: 3355-mp.doman.com (the correct machine cert)

When installing via a config profile I get SYSTEM keychain items:

Name: Company Corp Kind: 802.1X Password Account: host/3355-mp.doman.com Where: com.apple.network.eap.system.item.wlan.ssid.Company Corp And identity preference of: Name: com.apple.network.eap.system.identity.wlan.ssid.Company Corp Where: com.apple.network.eap.system.identity.wlan.ssid.Company Corp Preferred Certificate: 3355-mp.doman.com (the correct machine cert)

It all seems close. Obviously via a profile does not work though.

pat_best · ‎07-23-2014

sorry about that, I read right past the not PEAP part .... oops!

JPDyson · ‎07-24-2014

system profiles can be created but it requires manually editing a downloaded config profile. The click option for system profile is not there

Pardon? What tool are you talking about that supposedly has this limitation? I've created System Level with Casper 8, 9, and with Profile Manager.

adroitboy · ‎07-24-2014

I'm actually profile manager in 10.9 server. JSS is 8.73 and lags behind I. A fee of the config profiles...

JPDyson · ‎07-24-2014

Select a Computer Group when creating the Config Profile; you'll get System Level.

adroitboy · ‎07-25-2014

Is it a requirement to have a signed mobileconfig in order for it to work for EAP-TLS?

bentoms · ‎07-26-2014

Not sure if either of these help:

http://macmule.com/2014/05/19/error-10-8-clients-not-connecting-to-eap-tls-wireless-with-w2k8-nps/

http://macmule.com/2012/05/16/authenticating-10-7-macs-to-a-radius-server-with-certificate-enabled-p...

adroitboy · ‎07-29-2014

I was able to get it working using the JSS generated configuration profile. I haven't dug though it thoroughly, but it seems the wifi payload generated in MacOS Server Profile Manager was not quite right (or I was doing it wrong). I'd tried editing it and still couldn't get it to work.

I did all of the same things in the JSS and it worked perfectly.

For those interested, I didn't have to specify any certificates, trusted servers, etc. The trusted root was already there. All I needed to do was request the machine cert using the "AD Certificate" payload, making sure to use a template generated for MacOS which uses the UPN ([MachineID]$@domain.com) in the Subject Alternative name of the machine cert. It's worth noting that the PC's send host/[machineID].domain.com as the username, whereas the 10.8 and 10.9 machines send the UPN stored in the machine cert. Before using a different cert template, Mac would send the FQDN stored in the template, which the NPS server rejected.

The only gotcha moving from 802.1x PEAP to 802.1x EAP-TLS was the machine would use info in the keychain and connect to the user-based PEAP connection. Rather than instructing all users to delete that, I ran this as part of the postinstall script.

# Delete references to MY SSID in login keychains
for USER_HOME in /Users/*
  do
    USER_UID=`basename "${USER_HOME}"`
    if [ ! "${USER_UID}" = "Shared" ] 
     then 
      if [ ! -d "${USER_HOME}"/Library/Keychains ]
       then
        echo "do nothing"
      fi
      if [ -e "${USER_HOME}"/Library/Keychains/login.keychain ]
       then
        security delete-generic-password -l "MY SSID" "${USER_HOME}"/Library/Keychains/login.keychain
      fi
    fi
  done

Jamf Nation Community

802.1x EAP-TLS wireless config