OSX 10.6.8 PEAP-TLS Configuration

Posted on 2011-10-19
Last Modified: 2013-11-12
Trying to deploy PEAP-TLS over a Cisco wireless system.  It works fine on WindowsXP and Win7 clients.  On the test mac client, I can load the personal certificate in the login keychain and the root certificate in the System and SystemRoot keychains.  I configured the apple supplicant to use PEAP TLS with the personal certificate in the TLS config.  The client will not connect to the network.  The RADIUS server event log shows an undetermined EAP type which is typical if it can't get the proper response from the client.  The mac client system log shows this:

Oct 19 13:50:55 it-techs-iMac eapolclient[304]: SecKeychainFindGenericPassword failed, -25300
Oct 19 13:50:55 it-techs-iMac eapolclient[304]: en1: failed to retrieve password from keychain
Oct 19 13:50:55 it-techs-iMac eapolclient[304]: en1 START Oct 19 13:50:56 it-techs-iMac eapolclient[304]: en1 STOP

It looks as thought the supplicant tries to access the keychain for the personal certificate to login but gets denied access.

Any help is greatly appreciated.
Question by:HFETECH
    LVL 4

    Expert Comment

    Ain't you mixing PEAP and EAP-TLS ?
    * PEAP encapsulate an EAP-method in an EAP-TLS tunnel.
    most of the time, the tunneled method is a password authentication (EAP-MSCHAPv2)
    PEAP client certificate is optionnal.

    * EAP-TLS only use certificates on both client and server side.

    In your logs, eapolclient is looking for a password from keychain, not a certificate.
    Which would be normal if you selected PEAP method.

    So if you only have certifcate for the client and no passord authentication, you should take the EAP-TLS method in your Mac.

    This paper is well done:

    Accepted Solution

    Thank you for the assistance.  Windows clients must present their user/pass in the background without the need for the IAS RADIUS profile to explicitly have MS-CHAPv2.  Your comment lead me back to the IAS profile and it turns out 2 adjustments were needed.  First, I had to remove from the Remote Access Profile, the Domain Computers requirement as the Macs are not joined to the domain.  Second, in IAS Wireless Connection Remote Access Profile >Edit Profile>Authentication Tab>Check MSCHAP-V2>EAP Methods>Edit Protected EAP>EAP Types>Add Secure Password MS-CHAPv2.

    It was that last part I didn't have.  The PEAP profile only had the "Smart Card or other certificate" option.  Macs apparently require the addition of the Secure Password under PEAP.  It still requires the TLS certificate for setting up the encrypted tunnel for authentication.  I tested that by removing the TLS option on the MAC and authentication just spun until it timed out.  In the end PEAP-TLS is an option it just requires MS-CHAPv2 also when using OSX and probably any other UNIX variant.

    Thanks again for your assistance.


    Author Closing Comment

    This fixed the problem and mac clients can now join using peap with a tls encrypted tunnel and mschapv2 authentication.
    LVL 9

    Expert Comment

    Here is a complete how to for IAS and cross platform client config

    Please follow this config

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    Today sees the launch of a new case study, focusing on BYOD technologies we have been working with for some time now.  But with the advent of 802.11ac wireless technologies and the story behind our landmark developments, we would like to share this …
    In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
    This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now