OS X clients can't connect to 802.1x network

Hello all,

We are trying to get 802.1x rolled out to our Mac labs in order to dynamically assign vlans, but we are running into problems during authentication. The OS X client (running version 10.9.4) fails due to the identity of the authentication server not being established. When I look at the logs on the RADIUS (NPS running on Server 2008 R2 Enterprise) side, I see "Unexpected error. Possible error in server or client configuration". We are using PEAP-MSCHAPv2 for authentication, so I'm assuming that the problem is with the NPS server certificate, but I'm not exactly sure.

The network settings for OS X are configured via the Profile Manager:

Certificates Payload:
The NPS Server cert issued by our Root CA.

Network Payload:
Network Interface: Ethernet
Use as a Login Window configuration: Enabled
Accepted EAP Types: PEAP and TTLS.
Inner Authentication Protocol: MSCHAPv2
Use Directory Authentication: Enabled
Trusted Certificates: the NPS server cert that was specified in the Certificates payload.
Trusted Server Certificate Names: the FQDN of our NPS server.

On the server side, here's our Connection Request Policy:

Connection Request Policy
And here's our Network Policy:

Network Policy
All of our Windows clients authenticate and get assigned a Vlan without problems, so I'm not sure why Macs aren't doing the same. I've tried to add our Trusted Root CA cert to the Mac's System Keychain, but that didn't make a difference. Any help/suggestions to get us up and running would be greatly appreciated.

Thank you.
Robert DavisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can you connect if you don't push out a profile to the Mac clients?
You'd have to enter credentials and then possibly accept a certificate, but if that works then you know the problem is only with the profile.
Craig BeckCommented:
I know you said Windows clients are working, but you don't need to do anything with Connection Request policies unless you're using more than one NPS server.  You need to be specifying the EAP-type in the Network Access Policy.  The CAR specifies whether an access request should be processed on this server (or group) or if not, where to send it.  The NAP controls how users attempt to connect, what to do with each type of request, and what to tell the NAS or NAD in response.

What's more relevant is the amount of settings and constraints you have in the Network Access Policy which are either incorrect or just not required.

1] You don't need BAP settings.  This won't take effect for a wired device or user on an Ethernet LAN ever.
2] The authentication protocols should be set to the strongest available.  Unencrypted, PAP and CHAP aren't EAP-type authentication methods so I don't even see how this is doing 802.1x at all.

Anyhow, OSX needs to trust the certificate which is presented by the NPS server in order to establish a secure session with the client.  In Windows you can choose to not validate the server certificate, but in OSX you have to trust it.  Use Profile Manager to push a profile which includes a client certificate or a copy of the CA's root certificate.
Robert DavisAuthor Commented:

I thought the only way to connect to a 802.1x network in Mavericks was through a profile - am I wrong?


I was under the impression that connection request policies were required when doing 802.1x enforcement (per Microsoft), and that's where I specified the EAP type (PEAP-MSCHAPv2), as well as the certificate that is presented (the NPS server cert issued by our CA), hence why it was left out of the network policy. BAP was there by default, and I never bothered removing it, since it makes no difference. If I get rid of all the connection request policies, then vlan assignment stops working altogether, and I get the "Did not match connection request policy" error in the logs. The NPS server cert is specified in the profile, and I can see that cert in the Mac's keychain access, so it's on the client.

IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

I've got our wireless network using 802.1x (PEAP w/ MSCHAPv2) for authentication (WPA2-Enterprise).  All of our Mavericks clients connect without using a profile.  At one time I had tried getting a profile set up for them but kept running into trouble with some portion dealing with certificates.  It wasn't a priority and didn't have much time, so I dropped it.  Users have to enter their credentials and accept the certificate, but have no trouble connecting.

For what it's worth, all our authentication settings are set in our Network Policy.  The only condition in our Connection Request Policy is the IP of the wireless controller (NAS IPv4 Address).
Craig BeckCommented:
You do NOT set conditions in the Connection Request Policy unless you want to send some access requests to different RADIUS servers.  If you have only one NPS server the default rule is already configured correctly.
Robert DavisAuthor Commented:

The Macs can connect to our wireless network without problems. In this case, I'm trying to get them to connect to our wired network, which requires a profile - sorry if I didn't make that clear.

Actually I was thinking that if they could connect wirelessly without a problem, then they should be able to do the same for ethernet (it never occurred to me that the behavior would be different depending on the interface).  But if that assumption is wrong I apologize.
Craig BeckCommented:
Sometimes it is done differently.  For example, if a computer certificate is available it is easier to use EAP-TLS to authenticate a computer itself, regardless of user, while if no computer certificate is available and you want users to just walk-in with their own device it is far easier to use PEAP-MSChapV2 instead.

A lot of places I go to use 802.1x wired with EAP-TLS but let their wireless clients with their own devices use PEAP instead.
Robert DavisAuthor Commented:
The issue persists even after cleaning up the connection request policies and disabling all of the authentication methods except for PEAP in the network policies. The error messages are the same: "The identity of the server couldn't be established" on the client, and "Unexpected error. Possible error in server or client configuration" on the server.

Robert DavisAuthor Commented:
I figured out the problem. All I had to do was remove the trusted server certificate name, and the Mac connected to our network.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robert DavisAuthor Commented:
I found this solution on another site. I assumed that you need to have the Trusted Server Certificate Name filled out in OS X, since that's the way we configured our Windows 7 clients, but turns out that's not the case.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apple Networking

From novice to tech pro — start learning today.