We are trying to get 802.1x rolled out to our Mac labs in order to dynamically assign vlans, but we are running into problems during authentication. The OS X client (running version 10.9.4) fails due to the identity of the authentication server not being established. When I look at the logs on the RADIUS (NPS running on Server 2008 R2 Enterprise) side, I see "Unexpected error. Possible error in server or client configuration". We are using PEAP-MSCHAPv2 for authentication, so I'm assuming that the problem is with the NPS server certificate, but I'm not exactly sure.
The network settings for OS X are configured via the Profile Manager:
The NPS Server cert issued by our Root CA.
Network Interface: Ethernet
Use as a Login Window configuration: Enabled
Accepted EAP Types: PEAP and TTLS.
Inner Authentication Protocol: MSCHAPv2
Use Directory Authentication: Enabled
Trusted Certificates: the NPS server cert that was specified in the Certificates payload.
Trusted Server Certificate Names: the FQDN of our NPS server.
On the server side, here's our Connection Request Policy:
And here's our Network Policy:
All of our Windows clients authenticate and get assigned a Vlan without problems, so I'm not sure why Macs aren't doing the same. I've tried to add our Trusted Root CA cert to the Mac's System Keychain, but that didn't make a difference. Any help/suggestions to get us up and running would be greatly appreciated.