Security

Reply
Occasional Contributor II

EAP-TLS Error 215 - MAC OS

Newbie to the forums and product, please excuse the extreme ignorance to follow.

 

We are trying out CP and have a 802.1x policy that works for all Windows machines thrown at it thus far. However, when I try the same process on a Mac, CP gives me Error Code 215. The alert says:

 

EAP-TLS: fatal alert by server - handshake_failure
TLS Handshake failed in SSL_read with error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
eap-tls: Error in establishing TLS session

 

 

The RADIUS cert used on CP is from our own PKI. Macs and Windows devices are using the same device certificate template when requesting said cert from the CA.

 

Any ideas would be most appreciated! Thank you for reading.

Guru Elite

Re: EAP-TLS Error 215 - MAC OS

Was the cert selected in the initial authentication dialog?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: EAP-TLS Error 215 - MAC OS

I believe so. A pop-up appears on the Mac asking for the Identity, at which time I select the 802.1x profile that was pushed to the device. One thing I noticed is that the Device Certificate on the Mac has no Subject. The same CA template is used for Device Certs on PC, which are working fine. So, not sure if that is part of the problem or not. Screenshot attached.

Guru Elite

Re: EAP-TLS Error 215 - MAC OS

Are the machines domain-joined?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: EAP-TLS Error 215 - MAC OS

Yes, the Macs and PCs are both domain joined.

Guru Elite

Re: EAP-TLS Error 215 - MAC OS

How are you handling the certificate enrollment?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: EAP-TLS Error 215 - MAC OS

Internal PKI - GPO for Windows and Casper for Macs

Occasional Contributor II

Re: EAP-TLS Error 215 - MAC OS

Looks like our PKI template needed to be adjusted for Mac devices. This has been corrected and now the Mac seems to be happy with the new device certificate. However, CP authentication is still failing. At this point I am thinking it may be because "host/" is missing from the Authentication:Full-Username part of the request. For example, working Windows devices return "host/pcname.domain.com" whereas my Mac is sending back "macname.domain.com". 

 

Any suggestions would be most appreciated! Thank you for reading.

Guru Elite

Re: EAP-TLS Error 215 - MAC OS

The supplicant does not append host/ like Windows does. You’ll have to leverage the FQDN.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: EAP-TLS Error 215 - MAC OS

Would doing so mean that the Service Rule needs to be modified? Sorry, totally new to this product..

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: