03-29-2016 08:17 AM
We're trying to do EAP-TLS for all of our corporate devices. Windows stuff works fine. Macs are a huge PITA. If you get all the certs on the device and manually connect to the SSID, choose your cert, you get on.... but it prompts you for access to the keychain every single time it has to reconnect. Unacceptable for us. I'm told the solution is to use a Wi-Fi profile. So we're trying this out from AirWatch... but it will not work. We cannot chain together the cert properly to NOT get a TLS error on the ClearPass side.
Any tips or ideas to try? I'd appreciate it.
Error on CPPM when trying to auth from profile:
EAP-TLS: warning alert by client - close_notify
eap-tls: Error in establishing TLS session
03-29-2016 08:47 AM
Do you have the rootCA loaded into keychain on the OSX machines? This rootCA should be the same rootCA that signed the CPPM radius certificate.
Also the User certs being used to authetnicate to wifi; are they being generated and signed from the same place the CPPM cert was generated?
03-29-2016 01:01 PM
"You are making changes to your Certificate Trust Settings. Type your password to allow this."
What it's barking about is the actual ClearPass server cert which is already in the login AND system keychain AND is also set to always trust.
03-29-2016 01:30 PM
I will have to test with 10.11 in regards to EAP-TLS, I dont recall ever having these issues with 10.10. I do know that apple removed the native support for EAP-TLS, and your forced to utilize a profile on 10.11.
I will check things out shortly once I get my rootCA fixed and get back to you.
03-30-2016 06:50 AM
Unfortunally I dont have an answer for you right yet.
Im having some issues with OSX 10.11 in regards to installing the Device Enrollment profile for OTA deployment. I dont recall this issue with 10.10 and CPPM 6.5.5, although now since I have upgraded to 10.11 I keep seeing the error. "Cant Decrypt the profile, install failed". Also my lab AD server is throwing errors when trying to generate user certs.
Let me get back to you a bit later once I can correctly generate a user cert and test.