Ed Watkins
asked on
OSX 10.6.8 PEAP-TLS Configuration
Trying to deploy PEAP-TLS over a Cisco wireless system. It works fine on WindowsXP and Win7 clients. On the test mac client, I can load the personal certificate in the login keychain and the root certificate in the System and SystemRoot keychains. I configured the apple supplicant to use PEAP TLS with the personal certificate in the TLS config. The client will not connect to the network. The RADIUS server event log shows an undetermined EAP type which is typical if it can't get the proper response from the client. The mac client system log shows this:
Oct 19 13:50:55 it-techs-iMac eapolclient[304]: SecKeychainFindGenericPass word failed, -25300
Oct 19 13:50:55 it-techs-iMac eapolclient[304]: en1: failed to retrieve password from keychain
Oct 19 13:50:55 it-techs-iMac eapolclient[304]: en1 START Oct 19 13:50:56 it-techs-iMac eapolclient[304]: en1 STOP
It looks as thought the supplicant tries to access the keychain for the personal certificate to login but gets denied access.
Any help is greatly appreciated.
Oct 19 13:50:55 it-techs-iMac eapolclient[304]: SecKeychainFindGenericPass
Oct 19 13:50:55 it-techs-iMac eapolclient[304]: en1: failed to retrieve password from keychain
Oct 19 13:50:55 it-techs-iMac eapolclient[304]: en1 START Oct 19 13:50:56 it-techs-iMac eapolclient[304]: en1 STOP
It looks as thought the supplicant tries to access the keychain for the personal certificate to login but gets denied access.
Any help is greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This fixed the problem and mac clients can now join using peap with a tls encrypted tunnel and mschapv2 authentication.
Here is a complete how to for IAS and cross platform client config http://microsoftguru.com.au/2009/08/17/microsoft-radius-server-ias-apple-imacmacbook-pro-osx-10-5-and-xp-pro-step-by-step/
Please follow this config
Please follow this config
* PEAP encapsulate an EAP-method in an EAP-TLS tunnel.
most of the time, the tunneled method is a password authentication (EAP-MSCHAPv2)
PEAP client certificate is optionnal.
* EAP-TLS only use certificates on both client and server side.
In your logs, eapolclient is looking for a password from keychain, not a certificate.
Which would be normal if you selected PEAP method.
So if you only have certifcate for the client and no passord authentication, you should take the EAP-TLS method in your Mac.
This paper is well done:
http://www.opus1.com/www/whitepapers/ttlsandpeap.pdf