Solved

EAP-TLS Authentication Failing Before Client Handshake and Machine Cert

Posted on 2013-06-13
14
2,507 Views
Last Modified: 2013-12-09
I am running an EAP-TLS Machine auth environment for both wireless and wired connections. I am having an issue with a specific machine and the EAP-TLS auth process. The machine is a Retina Macbook Pro 15" running 10.8.4. I have set this machine up with the same profile in profile manager as other Macs running the same OS version and it gets its machine cert from the CA plus the trust certs fine (the same as all the other machines).

The problem comes in the authentication process. Where all other systems like this one will respond to the servers request to supply their machine cert for TLS this machine does not send the machine cert. Unfortunately there are no errors on the server (2008R2 NPS with tracing) or client the process just stops.

The normal process in EAP network monitor logs goes something like this:
client to server EAP Response Identity
server to client EAP Request EAP-TLS
client to server TLS Handshake Client Hello
server to client TLS Handshake Server Hello Certificate
client to server EAP Response EAP-TLS
server to client EAP Request EAP-TLS
client to server EAP Response EAP-TLS
server to client EAP Request EAP-TLS
client to server TLS Handshake Certificate (machine cert is sent) <-- Does not happen on failing client.
5-7 other EAP-TLS steps for successful clients

On the failing client instead of the machine cert handshake the process just stops after the preceding server to client EAP Request EAP-TLS step. I have Wireshark and Network Monitor running as well as tracing on the server but nothing seems to point to a problem.

Any ideas?
0
Comment
Question by:ND_2007
  • 8
  • 3
  • 3
14 Comments
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39246716
Are you binding to a directory service? If so, disjoin and rejoin, reboot, retry.
0
 
LVL 61

Expert Comment

by:btan
ID: 39246897
I suggest you also take a look in this link on profile installation and try reboot as well
http://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/
0
 
LVL 1

Author Comment

by:ND_2007
ID: 39247757
Yes the machine is bound to the directory. I have rebooted multiple times in troubleshooting (have you tried turning it off then back on again - IT Crowd :) I will rejoin it to the domain and see if that does the trick.
0
 
LVL 1

Author Comment

by:ND_2007
ID: 39247761
That link has some good information in it I will take a look at some of the troubleshooting options and see if those help.

Thanks.
0
 
LVL 1

Author Comment

by:ND_2007
ID: 39253524
So I tried the rebind approach and did some verbose logging... no luck and no obvius fail... it just . The odd part is I use the certs and process for a wired connection and it works fine. Authenticates almost instantly. Wireless however seems to get stuck on authenticating. Looks like the wireless connection just gets stuck in a loop of auth request and responses where the wired version authenticates without the loop.

Wireless retransmit loop:
2013/06/17 10:42:08.681733 Receive Packet Size 938
Ether packet: dest CLIENT MAC XX:XX:XX:XX:XX:XX source SERVER MAC XX:XX:XX:XX:XX:XX type 0x888e
EAPOL: proto version 0x2 type EAP Packet (0) length 920
EAP Request (1): Identifier 127 Length 920
EAP-TLS Request: Identifier 127 Length 920 Flags 0x0 Data Length 914
0000  30 12 06 03 55 04 0a 13  0b 45 6e 74 72 75 73 74................

2013/06/17 10:42:08.682167 Retransmit EAP packet 1276 bytes
2013/06/17 10:42:08.682190 Transmit Packet Size 1280
Ether packet: dest SERVER MAC XX:XX:XX:XX:XX:XX source CLIENT MAC XX:XX:XX:XX:XX:XX type 0x888e
EAPOL: proto version 0x1 type EAP Packet (0) length 1276
EAP Response (2): Identifier 127 Length 1276
EAP-TLS Response: Identifier 127 Length 1276 Flags 0xc0 [ length=2883 more ] Data Length 1266
0000  16 03 01 09 6d 0b 00 09  69 00 09 66 00 05 be 30....................

2013/06/17 10:42:38.755050 Receive Packet Size 938
Ether packet: dest CLIENT MAC XX:XX:XX:XX:XX:XX source SERVER MAC XX:XX:XX:XX:XX:XX type 0x888e
EAPOL: proto version 0x2 type EAP Packet (0) length 920
EAP Request (1): Identifier 127 Length 920
EAP-TLS Request: Identifier 127 Length 920 Flags 0x0 Data Length 914
0000  30 12 06 03 55 04 0a 13  0b 45 6e 74 72 75 73 74................

2013/06/17 10:42:38.755393 Retransmit EAP packet 1276 bytes
2013/06/17 10:42:38.755406 Transmit Packet Size 1280
Ether packet: dest SERVER MAC XX:XX:XX:XX:XX:XX source CLIENT MAC XX:XX:XX:XX:XX:XX type 0x888e
EAPOL: proto version 0x1 type EAP Packet (0) length 1276
EAP Response (2): Identifier 127 Length 1276
EAP-TLS Response: Identifier 127 Length 1276 Flags 0xc0 [ length=2883 more ] Data Length 1266
0000  16 03 01 09 6d 0b 00 09  69 00 09 66 00 05 be 30..............

2013/06/17 10:43:08.728288 Receive Packet Size 938
Ether packet: dest CLIENT MAC XX:XX:XX:XX:XX:XX source SERVER MAC XX:XX:XX:XX:XX:XX type 0x888e
EAPOL: proto version 0x2 type EAP Packet (0) length 920
EAP Request (1): Identifier 127 Length 920
EAP-TLS Request: Identifier 127 Length 920 Flags 0x0 Data Length 914
0000  30 12 06 03 55 04 0a 13  0b 45 6e 74 72 75 73 74..............


2013/06/17 10:43:08.728635 Retransmit EAP packet 1276 bytes
2013/06/17 10:43:08.728650 Transmit Packet Size 1280
Ether packet: dest SERVER MAC XX:XX:XX:XX:XX:XX source CLIENT MAC XX:XX:XX:XX:XX:XX type 0x888e
EAPOL: proto version 0x1 type EAP Packet (0) length 1276
EAP Response (2): Identifier 127 Length 1276
EAP-TLS Response: Identifier 127 Length 1276 Flags 0xc0 [ length=2883 more ] Data Length 1266
0000  16 03 01 09 6d 0b 00 09  69 00 09 66 00 05 be 30.......


Then eventually times out. but on the wired side using the same certs it moves on to exchange some certs and authenticates after the first request.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39253918
I don't have real experience this specific but ill offer a guess: The wireless nic is a different MAC...  So has it not requested a machine cert for that nic?
0
 
LVL 61

Expert Comment

by:btan
ID: 39254997
I am assuming the AP is set to the same RADIUS as the wired then..strange is in the log there is no error messages if there is then maybe we can drill...the looping checks is not conclusive either especially subjected to the wireless connectivity..

Below is a 802.1x paper on OSX - see the sections such as

- apple product compatibility with 802.1x (various mode mentioned and maybe worth trying only the System mode instead of User mode for wired and wireless first)

- (appendix A) there is Network Payload setting to be configured for Wireless and Wired as well in term of  Network payload needed e.g. interface, security setting, cert, identity (probably good to check against the Wired and Wireless of any differences? Shd be only the interface card differs...).

- there is also a "profiles -L" commandline for current user

- maybe also want to try PEAP (instead of TLS) just to see for Wired and Wireless to isolate any cert issue based..

http://training.apple.com/pdf/WP_8021X_Authentication.pdf
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Author Comment

by:ND_2007
ID: 39259223
Thanks. PEAP is what I already have in place and is being replaced with TLS. It worked fine. I'll take a look at the doc you linked to and see if holds any clues. I ran into a similar issue in trying to auth a PC via TLS where there was no log etc but it turned out that the Jumbo Frames was switched on in the switch the AP is connected to and the frame was 1514 in size so it was not getting to where it needed to go properly. That was fixed.

The network payload is the same except a few more settings you can apply on the wireless side like SSID. In troubleshooting I have actually stopped pushing the wireless payload and only push the wired which works fine on all but one laptop (the machine in being discussed here.)

I am actually seriously considering backing up the machine then installing a clean OS to see if that is the problem.
0
 
LVL 61

Expert Comment

by:btan
ID: 39259272
I do agree and when certificate and profiles come into play, I rather "re-do" which can be shorter than troubleshooting. The previous link (not pdf) did mentioned multiple factor on the cert parameter like subj name etc which is again stated in the PDF also. If all these are in check then I seriously do see values in doing in new machine. Furthermore, if other user and their machine or staging using TLS has proven success before, then it has to do with config ....not straightfwd though
0
 
LVL 1

Author Comment

by:ND_2007
ID: 39260471
Well no change on a complete wipe and fresh install of Mountain Lion 10.8.4. So this to me says it may not be on the client side or it may be hardware related to the wifi adapter used in the MBP 15" Retina machines.

I have a few more things to check server side and locally but... does not look promising. The only thing I am seeing on the client side is an error :

mDNSResponder[980]: queryrecord_result_callback: ERROR!! answering multicast question with unicast cache record

Now this could point to an issue in the DNS info but... other machines work fine and show the same error so I think it may be unrelated.
0
 
LVL 1

Author Comment

by:ND_2007
ID: 39260888
Well for anyone who is following along I seemed to have found the cause of the issue. BLUETOOTH. I came across a post for a macbook air. If I disable bluetooth and then try to connect with EAP-TLS it connects fine. I can then turn bluetooth back on and everything is fine. If I leave bluetooth on and try EAP-TLS FAIL...

I have started a case with Apple on the issue and will update here their solution.

Keith
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39260913
wow. nice find. butterfly flaps it's wings...
0
 
LVL 1

Accepted Solution

by:
ND_2007 earned 0 total points
ID: 39279263
I am now able to machine auth over wifi with the Macbook Pro 15" Retina regardless of Bluetooth being on or off.

The change that seemed to make the difference was using port 1645 instead of 1812 in the radius config of the AP's. The server was defaulted to accept the older 1645 port standard or 1812 newer standard. Reminder all other machines besides the Macbook Pro 15" Retina (including other Macbook Pro's non-retina) did not have a problem using the 1812 port which was used in my test wireless network I setup.
 
One other item was different but I tested it out to make sure it did not actually cause the successful connection which was a reco by Apple to set the network up on an N capable AP. I did this and it did not change the failure.

On a side note the Macbook Pro in question the whole time was able to auth using PEAP on the original network with the 1645 port in use. I actually just modified the original network to accept EAP-TLS and PEAP... BAM it worked.

I will test out change the test network to 1645 just to see for certain that made the difference but from what I know right now it is the factor that made the difference.

Good luck everyone!
0
 
LVL 1

Author Closing Comment

by:ND_2007
ID: 39289425
I was able to find the solution through trial and error without contributing comments adding to the correct solution. The comments were helpful in relation to gaining more knowledge on the 802.1x subject overall but not this solution.
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now