Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2183
  • Last Modified:

OSX 10.6.8 PEAP-TLS Configuration

Trying to deploy PEAP-TLS over a Cisco wireless system.  It works fine on WindowsXP and Win7 clients.  On the test mac client, I can load the personal certificate in the login keychain and the root certificate in the System and SystemRoot keychains.  I configured the apple supplicant to use PEAP TLS with the personal certificate in the TLS config.  The client will not connect to the network.  The RADIUS server event log shows an undetermined EAP type which is typical if it can't get the proper response from the client.  The mac client system log shows this:


Oct 19 13:50:55 it-techs-iMac eapolclient[304]: SecKeychainFindGenericPassword failed, -25300
Oct 19 13:50:55 it-techs-iMac eapolclient[304]: en1: failed to retrieve password from keychain
Oct 19 13:50:55 it-techs-iMac eapolclient[304]: en1 START Oct 19 13:50:56 it-techs-iMac eapolclient[304]: en1 STOP

It looks as thought the supplicant tries to access the keychain for the personal certificate to login but gets denied access.

Any help is greatly appreciated.
0
HFETECH
Asked:
HFETECH
  • 2
1 Solution
 
iwaxxCommented:
Ain't you mixing PEAP and EAP-TLS ?
* PEAP encapsulate an EAP-method in an EAP-TLS tunnel.
most of the time, the tunneled method is a password authentication (EAP-MSCHAPv2)
PEAP client certificate is optionnal.

* EAP-TLS only use certificates on both client and server side.

In your logs, eapolclient is looking for a password from keychain, not a certificate.
Which would be normal if you selected PEAP method.

So if you only have certifcate for the client and no passord authentication, you should take the EAP-TLS method in your Mac.

This paper is well done:
http://www.opus1.com/www/whitepapers/ttlsandpeap.pdf
0
 
HFETECHAuthor Commented:
Thank you for the assistance.  Windows clients must present their user/pass in the background without the need for the IAS RADIUS profile to explicitly have MS-CHAPv2.  Your comment lead me back to the IAS profile and it turns out 2 adjustments were needed.  First, I had to remove from the Remote Access Profile, the Domain Computers requirement as the Macs are not joined to the domain.  Second, in IAS Wireless Connection Remote Access Profile >Edit Profile>Authentication Tab>Check MSCHAP-V2>EAP Methods>Edit Protected EAP>EAP Types>Add Secure Password MS-CHAPv2.

It was that last part I didn't have.  The PEAP profile only had the "Smart Card or other certificate" option.  Macs apparently require the addition of the Secure Password under PEAP.  It still requires the TLS certificate for setting up the encrypted tunnel for authentication.  I tested that by removing the TLS option on the MAC and authentication just spun until it timed out.  In the end PEAP-TLS is an option it just requires MS-CHAPv2 also when using OSX and probably any other UNIX variant.

Thanks again for your assistance.

0
 
HFETECHAuthor Commented:
This fixed the problem and mac clients can now join using peap with a tls encrypted tunnel and mschapv2 authentication.
0
 
araberuniCommented:
Here is a complete how to for IAS and cross platform client config http://microsoftguru.com.au/2009/08/17/microsoft-radius-server-ias-apple-imacmacbook-pro-osx-10-5-and-xp-pro-step-by-step/

Please follow this config
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now