Skip to main content
Solved

802.1x machine-based authentication - configuration


Forum|alt.badge.img+3
  • New Contributor
  • 3 replies

I'm trying to setup 802.1X Wireless using Configuration Profiles and machine-based auth using root CA certificates.

I decided to create a new Certificate Template in AD-CS based on the one we use for our Windows laptops, but this time with the ‘Service Principal Name’ option checked rather than ‘DNS Name’. I followed the advice here (see last post)

Clients receive a certificate just fine using the profile I created and I see an X509 cert in the Keychain. However, the system still doesn’t connect to our 802.1X network - when looking at the RADIUS server logs, I see connection rejections and suspect this might be because the user name presented is still in the form DOMAINhostname$, whereas I believe it should be host/fqdn, as that’s what I see on successful connections from Windows laptops.

I was hoping the new template would ensure the username is presented in the correct form, does anybody know what I'm missing?

Best answer by davidacland

I've had this before with Cisco ISE v1.3. I don't think there is a configuration change you can make on the client end so you'll probably be looking at making adjustments on the RADIUS, or finishing the connection manually on the devices.

View original
Did this topic help you find an answer to your question?

10 replies

davidacland
Forum|alt.badge.img+18
  • Valued Contributor
  • 1811 replies
  • Answer
  • October 20, 2015

I've had this before with Cisco ISE v1.3. I don't think there is a configuration change you can make on the client end so you'll probably be looking at making adjustments on the RADIUS, or finishing the connection manually on the devices.


Forum|alt.badge.img+19
  • Employee
  • 49 replies
  • October 20, 2015

If you are getting the X509 certificate, you are getting close. Hold down the option key and click on the WiFi menu and choose "Open Wireless Diagnostics ...". From the window menu choose "Logs ..." and enable the 802.1X log. This will let you see what the client is getting from and send to your RADIUS box allowing you to verify if the username is really the issue or if it's something else.

Also, look at the X509 Certificate's extensions and see what Subject Alternative Names are in the certificate. These are provided by your AD template and can be tweaked as necessary to tie in with what your RADIUS box is expecting.


Forum|alt.badge.img+6
  • Contributor
  • 47 replies
  • October 20, 2015

There was a weird issue that we saw when using this. After login we had to have user go to System pref > Networks and re-auth the 802.1x profile and reboot before they would connect successfully. Not sure what the issue was but that's our workflow now.


Forum|alt.badge.img+16
  • Employee
  • 27 replies
  • October 20, 2015

Between https://support.microsoft.com/en-us/kb/814394 and https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/, you will see that the Subject Alternative Name needs to be the UPN (user principal name) for 802.1x to work on Macs. This can be changed in the certificate template. Hope this helps.


mks007
Forum|alt.badge.img+6
  • Contributor
  • 22 replies
  • October 20, 2015

We populate the username as host/$COMPUTERNAME.example.com, this option will appear after tick the TLS box

But we are using a NDES server to generate the certificate on the Mac, I have not tried AD-CS based but our Windows are getting the cert from the AD-CA and they are using the SPN (service principle name) in the machines AD object just the same

(ab319aba838245058d438b12a947fd47) ~[upload]


ndelgrande
Forum|alt.badge.img+5
  • Contributor
  • 27 replies
  • October 20, 2015

I haven't gotten this completely automated yet, but I have been working on our own network access control project for almost 8 months now. Once the Mac has it's unique cert and all the certificates needed for the cert chain, when the user plugs in the ethernet cable, a pop-up shows up. They select default, then their cert, then save it to their keychain and they are good to go. We do have an issue with users not updating their certificate when prompted. So it does work, but I have yet to get it completely automated, mainly because only ethernet is protected right now through EAP-TLS and WiFi is using EAP-FAST.


Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 3 replies
  • October 20, 2015

@dan.kubley We did try that initially - UPN rather than SPN - but got the following error:

Profile installation failed. 

TheActive Directory Certificate’ payload could not be installed. The certificate request failed.

Forum|alt.badge.img+16
  • Employee
  • 27 replies
  • October 21, 2015

@mm10 Hmm, if we look at that AFP548 article I linked above, they ran into the same error. Have you tried enabling the debug logging they mention? Sometimes that logging can give us the ID of the failed cert request, and then on the CA server we can find the exact reason why.


Forum|alt.badge.img+19
  • Employee
  • 49 replies
  • October 21, 2015

Because that error message is soooo informative, I typically enable mcx logging - see this afp548 article. The mcx log will tell you in explicit terms why the cert isn't being accepted. It will actually contain the html markup response from the ad certificate server.


Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 3 replies
  • October 28, 2015

Thanks for all the suggestions. We had our network guys update the RADIUS server configuration to automatically accept usernames from Macs in the form MYDOMAINcomputername$ and all now works swimmingly via TLS.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings