Solved

OS X clients can't connect to 802.1x network

Posted on 2014-10-08
11
2,669 Views
Last Modified: 2014-10-22
Hello all,

We are trying to get 802.1x rolled out to our Mac labs in order to dynamically assign vlans, but we are running into problems during authentication. The OS X client (running version 10.9.4) fails due to the identity of the authentication server not being established. When I look at the logs on the RADIUS (NPS running on Server 2008 R2 Enterprise) side, I see "Unexpected error. Possible error in server or client configuration". We are using PEAP-MSCHAPv2 for authentication, so I'm assuming that the problem is with the NPS server certificate, but I'm not exactly sure.

The network settings for OS X are configured via the Profile Manager:

Certificates Payload:
The NPS Server cert issued by our Root CA.

Network Payload:
Network Interface: Ethernet
Use as a Login Window configuration: Enabled
Accepted EAP Types: PEAP and TTLS.
Inner Authentication Protocol: MSCHAPv2
Use Directory Authentication: Enabled
Trusted Certificates: the NPS server cert that was specified in the Certificates payload.
Trusted Server Certificate Names: the FQDN of our NPS server.

On the server side, here's our Connection Request Policy:

Connection Request Policy
And here's our Network Policy:

Network Policy
All of our Windows clients authenticate and get assigned a Vlan without problems, so I'm not sure why Macs aren't doing the same. I've tried to add our Trusted Root CA cert to the Mac's System Keychain, but that didn't make a difference. Any help/suggestions to get us up and running would be greatly appreciated.

Thank you.
0
Comment
Question by:Robert Davis
  • 5
  • 3
  • 3
11 Comments
 
LVL 39

Expert Comment

by:footech
ID: 40370466
Can you connect if you don't push out a profile to the Mac clients?
You'd have to enter credentials and then possibly accept a certificate, but if that works then you know the problem is only with the profile.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40371288
I know you said Windows clients are working, but you don't need to do anything with Connection Request policies unless you're using more than one NPS server.  You need to be specifying the EAP-type in the Network Access Policy.  The CAR specifies whether an access request should be processed on this server (or group) or if not, where to send it.  The NAP controls how users attempt to connect, what to do with each type of request, and what to tell the NAS or NAD in response.

What's more relevant is the amount of settings and constraints you have in the Network Access Policy which are either incorrect or just not required.

1] You don't need BAP settings.  This won't take effect for a wired device or user on an Ethernet LAN ever.
2] The authentication protocols should be set to the strongest available.  Unencrypted, PAP and CHAP aren't EAP-type authentication methods so I don't even see how this is doing 802.1x at all.

Anyhow, OSX needs to trust the certificate which is presented by the NPS server in order to establish a secure session with the client.  In Windows you can choose to not validate the server certificate, but in OSX you have to trust it.  Use Profile Manager to push a profile which includes a client certificate or a copy of the CA's root certificate.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 40381170
Footech,

I thought the only way to connect to a 802.1x network in Mavericks was through a profile - am I wrong?

Craigbeck,

I was under the impression that connection request policies were required when doing 802.1x enforcement (per Microsoft), and that's where I specified the EAP type (PEAP-MSCHAPv2), as well as the certificate that is presented (the NPS server cert issued by our CA), hence why it was left out of the network policy. BAP was there by default, and I never bothered removing it, since it makes no difference. If I get rid of all the connection request policies, then vlan assignment stops working altogether, and I get the "Did not match connection request policy" error in the logs. The NPS server cert is specified in the profile, and I can see that cert in the Mac's keychain access, so it's on the client.

Thanks.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 39

Expert Comment

by:footech
ID: 40381218
I've got our wireless network using 802.1x (PEAP w/ MSCHAPv2) for authentication (WPA2-Enterprise).  All of our Mavericks clients connect without using a profile.  At one time I had tried getting a profile set up for them but kept running into trouble with some portion dealing with certificates.  It wasn't a priority and didn't have much time, so I dropped it.  Users have to enter their credentials and accept the certificate, but have no trouble connecting.

For what it's worth, all our authentication settings are set in our Network Policy.  The only condition in our Connection Request Policy is the IP of the wireless controller (NAS IPv4 Address).
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40381489
You do NOT set conditions in the Connection Request Policy unless you want to send some access requests to different RADIUS servers.  If you have only one NPS server the default rule is already configured correctly.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 40382491
Footech,

The Macs can connect to our wireless network without problems. In this case, I'm trying to get them to connect to our wired network, which requires a profile - sorry if I didn't make that clear.

Thanks.
0
 
LVL 39

Expert Comment

by:footech
ID: 40382601
Actually I was thinking that if they could connect wirelessly without a problem, then they should be able to do the same for ethernet (it never occurred to me that the behavior would be different depending on the interface).  But if that assumption is wrong I apologize.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40382653
Sometimes it is done differently.  For example, if a computer certificate is available it is easier to use EAP-TLS to authenticate a computer itself, regardless of user, while if no computer certificate is available and you want users to just walk-in with their own device it is far easier to use PEAP-MSChapV2 instead.

A lot of places I go to use 802.1x wired with EAP-TLS but let their wireless clients with their own devices use PEAP instead.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 40383146
The issue persists even after cleaning up the connection request policies and disabling all of the authentication methods except for PEAP in the network policies. The error messages are the same: "The identity of the server couldn't be established" on the client, and "Unexpected error. Possible error in server or client configuration" on the server.

Thanks.
0
 
LVL 1

Accepted Solution

by:
Robert Davis earned 0 total points
ID: 40387167
I figured out the problem. All I had to do was remove the trusted server certificate name, and the Mac connected to our network.

Thanks.
0
 
LVL 1

Author Closing Comment

by:Robert Davis
ID: 40396435
I found this solution on another site. I assumed that you need to have the Trusted Server Certificate Name filled out in OS X, since that's the way we configured our Windows 7 clients, but turns out that's not the case.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you come here a lot? Are you lazy like me and don't want to go through the "trouble" of having to click your Dock's Safari icon and then having to click your Experts Exchange Favorites bookmark to get here? Well then this article is for you.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now