Solved

OS X clients can't connect to 802.1x network

Posted on 2014-10-08
11
2,451 Views
Last Modified: 2014-10-22
Hello all,

We are trying to get 802.1x rolled out to our Mac labs in order to dynamically assign vlans, but we are running into problems during authentication. The OS X client (running version 10.9.4) fails due to the identity of the authentication server not being established. When I look at the logs on the RADIUS (NPS running on Server 2008 R2 Enterprise) side, I see "Unexpected error. Possible error in server or client configuration". We are using PEAP-MSCHAPv2 for authentication, so I'm assuming that the problem is with the NPS server certificate, but I'm not exactly sure.

The network settings for OS X are configured via the Profile Manager:

Certificates Payload:
The NPS Server cert issued by our Root CA.

Network Payload:
Network Interface: Ethernet
Use as a Login Window configuration: Enabled
Accepted EAP Types: PEAP and TTLS.
Inner Authentication Protocol: MSCHAPv2
Use Directory Authentication: Enabled
Trusted Certificates: the NPS server cert that was specified in the Certificates payload.
Trusted Server Certificate Names: the FQDN of our NPS server.

On the server side, here's our Connection Request Policy:

Connection Request Policy
And here's our Network Policy:

Network Policy
All of our Windows clients authenticate and get assigned a Vlan without problems, so I'm not sure why Macs aren't doing the same. I've tried to add our Trusted Root CA cert to the Mac's System Keychain, but that didn't make a difference. Any help/suggestions to get us up and running would be greatly appreciated.

Thank you.
0
Comment
Question by:Robert Davis
  • 5
  • 3
  • 3
11 Comments
 
LVL 39

Expert Comment

by:footech
ID: 40370466
Can you connect if you don't push out a profile to the Mac clients?
You'd have to enter credentials and then possibly accept a certificate, but if that works then you know the problem is only with the profile.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40371288
I know you said Windows clients are working, but you don't need to do anything with Connection Request policies unless you're using more than one NPS server.  You need to be specifying the EAP-type in the Network Access Policy.  The CAR specifies whether an access request should be processed on this server (or group) or if not, where to send it.  The NAP controls how users attempt to connect, what to do with each type of request, and what to tell the NAS or NAD in response.

What's more relevant is the amount of settings and constraints you have in the Network Access Policy which are either incorrect or just not required.

1] You don't need BAP settings.  This won't take effect for a wired device or user on an Ethernet LAN ever.
2] The authentication protocols should be set to the strongest available.  Unencrypted, PAP and CHAP aren't EAP-type authentication methods so I don't even see how this is doing 802.1x at all.

Anyhow, OSX needs to trust the certificate which is presented by the NPS server in order to establish a secure session with the client.  In Windows you can choose to not validate the server certificate, but in OSX you have to trust it.  Use Profile Manager to push a profile which includes a client certificate or a copy of the CA's root certificate.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 40381170
Footech,

I thought the only way to connect to a 802.1x network in Mavericks was through a profile - am I wrong?

Craigbeck,

I was under the impression that connection request policies were required when doing 802.1x enforcement (per Microsoft), and that's where I specified the EAP type (PEAP-MSCHAPv2), as well as the certificate that is presented (the NPS server cert issued by our CA), hence why it was left out of the network policy. BAP was there by default, and I never bothered removing it, since it makes no difference. If I get rid of all the connection request policies, then vlan assignment stops working altogether, and I get the "Did not match connection request policy" error in the logs. The NPS server cert is specified in the profile, and I can see that cert in the Mac's keychain access, so it's on the client.

Thanks.
0
 
LVL 39

Expert Comment

by:footech
ID: 40381218
I've got our wireless network using 802.1x (PEAP w/ MSCHAPv2) for authentication (WPA2-Enterprise).  All of our Mavericks clients connect without using a profile.  At one time I had tried getting a profile set up for them but kept running into trouble with some portion dealing with certificates.  It wasn't a priority and didn't have much time, so I dropped it.  Users have to enter their credentials and accept the certificate, but have no trouble connecting.

For what it's worth, all our authentication settings are set in our Network Policy.  The only condition in our Connection Request Policy is the IP of the wireless controller (NAS IPv4 Address).
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40381489
You do NOT set conditions in the Connection Request Policy unless you want to send some access requests to different RADIUS servers.  If you have only one NPS server the default rule is already configured correctly.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:Robert Davis
ID: 40382491
Footech,

The Macs can connect to our wireless network without problems. In this case, I'm trying to get them to connect to our wired network, which requires a profile - sorry if I didn't make that clear.

Thanks.
0
 
LVL 39

Expert Comment

by:footech
ID: 40382601
Actually I was thinking that if they could connect wirelessly without a problem, then they should be able to do the same for ethernet (it never occurred to me that the behavior would be different depending on the interface).  But if that assumption is wrong I apologize.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40382653
Sometimes it is done differently.  For example, if a computer certificate is available it is easier to use EAP-TLS to authenticate a computer itself, regardless of user, while if no computer certificate is available and you want users to just walk-in with their own device it is far easier to use PEAP-MSChapV2 instead.

A lot of places I go to use 802.1x wired with EAP-TLS but let their wireless clients with their own devices use PEAP instead.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 40383146
The issue persists even after cleaning up the connection request policies and disabling all of the authentication methods except for PEAP in the network policies. The error messages are the same: "The identity of the server couldn't be established" on the client, and "Unexpected error. Possible error in server or client configuration" on the server.

Thanks.
0
 
LVL 1

Accepted Solution

by:
Robert Davis earned 0 total points
ID: 40387167
I figured out the problem. All I had to do was remove the trusted server certificate name, and the Mac connected to our network.

Thanks.
0
 
LVL 1

Author Closing Comment

by:Robert Davis
ID: 40396435
I found this solution on another site. I assumed that you need to have the Trusted Server Certificate Name filled out in OS X, since that's the way we configured our Windows 7 clients, but turns out that's not the case.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Do you come here a lot? Are you lazy like me and don't want to go through the "trouble" of having to click your Dock's Safari icon and then having to click your Experts Exchange Favorites bookmark to get here? Well then this article is for you.
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now