Security

Reply
Occasional Contributor II
Posts: 20
Registered: ‎03-02-2016

Help with Mac OS X EAP-TLS

We're trying to do EAP-TLS for all of our corporate devices.  Windows stuff works fine.  Macs are a huge PITA.  If you get all the certs on the device and manually connect to the SSID, choose your cert, you get on.... but it prompts you for access to the keychain every single time it has to reconnect.  Unacceptable for us.  I'm told the solution is to use a Wi-Fi profile.  So we're trying this out from AirWatch... but it will not work.  We cannot chain together the cert properly to NOT get a TLS error on the ClearPass side.

 

Any tips or ideas to try?  I'd appreciate it.

 

Error on CPPM when trying to auth from profile:

EAP-TLS: warning alert by client - close_notify
eap-tls: Error in establishing TLS session

 

thanks.

Contributor I
Posts: 32
Registered: ‎01-03-2014

Re: Help with Mac OS X EAP-TLS

lsipple,

 

Do you have the rootCA loaded into keychain on the OSX machines? This rootCA should be the same rootCA that signed the CPPM radius certificate. 

 

Also the User certs being used to authetnicate to wifi; are they being generated and signed from the same place the CPPM cert was generated?

Justin Kwasnik | ACMX# 598 | ACCP
Occasional Contributor II
Posts: 20
Registered: ‎03-02-2016

Re: Help with Mac OS X EAP-TLS

Hey Justin - yes and yes.  That is the case.

Contributor I
Posts: 32
Registered: ‎01-03-2014

Re: Help with Mac OS X EAP-TLS

What version of OSX are you running? 

Justin Kwasnik | ACMX# 598 | ACCP
Occasional Contributor II
Posts: 20
Registered: ‎03-02-2016

Re: Help with Mac OS X EAP-TLS

El Capitan - 10.11.3

Contributor I
Posts: 32
Registered: ‎01-03-2014

Re: Help with Mac OS X EAP-TLS

 

When keychain keeps poping up, what is it asking you to do? Do the users have local admin access?

Justin Kwasnik | ACMX# 598 | ACCP
Occasional Contributor II
Posts: 20
Registered: ‎03-02-2016

Re: Help with Mac OS X EAP-TLS

"You are making changes to your Certificate Trust Settings. Type your password to allow this."

 

What it's barking about is the actual ClearPass server cert which is already in the login AND system keychain AND is also set to always trust.

Contributor I
Posts: 32
Registered: ‎01-03-2014

Re: Help with Mac OS X EAP-TLS

I will have to test with 10.11 in regards to EAP-TLS, I dont recall ever having these issues with 10.10. I do know that apple removed the native support for EAP-TLS, and your forced to utilize a profile on 10.11. 

 

I will check things out shortly once I get my rootCA fixed and get back to you. 

Justin Kwasnik | ACMX# 598 | ACCP
Occasional Contributor II
Posts: 20
Registered: ‎03-02-2016

Re: Help with Mac OS X EAP-TLS

Interesting.  Without a profile I can connect via TLS once I click through the cert prompt.

Contributor I
Posts: 32
Registered: ‎01-03-2014

Re: Help with Mac OS X EAP-TLS

lsipple,

 

Unfortunally I dont have an answer for you right yet.

 

Im having some issues with OSX 10.11 in regards to installing the Device Enrollment profile for OTA deployment. I dont recall this issue with 10.10 and CPPM 6.5.5, although now since I have upgraded to 10.11 I keep seeing the error. "Cant Decrypt the profile, install failed". Also my lab AD server is throwing errors when trying to generate user certs. 

 

Let me get back to you a bit later once I can correctly generate a user cert and test. 

Justin Kwasnik | ACMX# 598 | ACCP
Search Airheads
Showing results for 
Search instead for 
Did you mean: