Hey everyone,
We have aquired a number of macs recently and are testing the casper suite to manage them. I have been trying to get the macs to use an AD computer certificate to log into our WIFI.
I created a configuration profile containing the network, certificate and AD certificate Payloads following the following guide:
https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/
When binding Macs to our windows 2008 R2 domain and using 2008 R2 Ceriticate servers and 2003 IAS (radius) servers this seems to work fine.
When binding the macs to our new windows 2012 R2 which uses 2012 R2 CA's en 2012 R2 NPS (radius). I can't get the macs to log onto wifi.
I enabled debug logging for the eapolclient and get the following error:
27-11-14 08:41:18,817 eapolclient[2038]: [EAPCertificateUtil.c:325] EAPSecIdentityCreateCertificateTrustChain(): SecTrustGetCertificateCount returned 0
27-11-14 08:41:19,196 configd[17]: EAPOLController: eapolclient(en1) pid=2038 exited with status 11
The macs do succesfully request en download an AD certificate to the system keychain.
The OSX Configuration profile that I'm pushing to the macs in the 2012 R2 domain is basically the same as the OSX profile I'm pusing to the clients in the 2008 R2 domain except for changed serversnamescertificates rusts.
The NPS doesn't log anything when this happens. When I block the macs from authenticating in NPS, the NPS logs a deny entry. When the macs hit a allow rule I get the error on the clients but no entry whatsoever on the NPS server. So it seems as soon as the macs try to auhenticate using eap-tls something fails on the client stopping the authentication process.
The windows machines using the same infrastructure can also authenticate succesfully.
The macs are running osx 10.9
Has anyone run into this error? thanks.
