Security

We're trying to do EAP-TLS for all of our corporate devices.  Windows stuff works fine.  Macs are a huge PITA.  If you get all the certs on the device and manually connect to the SSID, choose your cert, you get on.... but it prompts you for access to the keychain every single time it has to reconnect.  Unacceptable for us.  I'm told the solution is to use a Wi-Fi profile.  So we're trying this out from AirWatch... but it will not work.  We cannot chain together the cert properly to NOT get a TLS error on the ClearPass side.

Any tips or ideas to try?  I'd appreciate it.

Error on CPPM when trying to auth from profile:

EAP-TLS: warning alert by client - close_notify
eap-tls: Error in establishing TLS session

thanks.

lsipple,

Do you have the rootCA loaded into keychain on the OSX machines? This rootCA should be the same rootCA that signed the CPPM radius certificate. 

Also the User certs being used to authetnicate to wifi; are they being generated and signed from the same place the CPPM cert was generated?

Hey Justin - yes and yes.  That is the case.

What version of OSX are you running? 

El Capitan - 10.11.3

When keychain keeps poping up, what is it asking you to do? Do the users have local admin access?

"You are making changes to your Certificate Trust Settings. Type your password to allow this."

What it's barking about is the actual ClearPass server cert which is already in the login AND system keychain AND is also set to always trust.

I will have to test with 10.11 in regards to EAP-TLS, I dont recall ever having these issues with 10.10. I do know that apple removed the native support for EAP-TLS, and your forced to utilize a profile on 10.11. 

I will check things out shortly once I get my rootCA fixed and get back to you. 

Interesting.  Without a profile I can connect via TLS once I click through the cert prompt.

lsipple,

Unfortunally I dont have an answer for you right yet.

Im having some issues with OSX 10.11 in regards to installing the Device Enrollment profile for OTA deployment. I dont recall this issue with 10.10 and CPPM 6.5.5, although now since I have upgraded to 10.11 I keep seeing the error. "Cant Decrypt the profile, install failed". Also my lab AD server is throwing errors when trying to generate user certs. 

Let me get back to you a bit later once I can correctly generate a user cert and test. 

I troubleshot with Aruba TAC for a few hours... we found out that the CPPM server is sending the cert to initiate the TLS conversation, but the Mac is seemingly not trusting it. I have a feeling there is something very small or stupid with our root or CP cert (issued by a subordinate template) that these new versions aren't liking.  I noticed that the CP subordinate certs do not have a SAN section with the DNS entry of the CP servers... which I saw a few people talking about could be the issue.

I have a call at 10:30 today with both Airwatch and Clearpass to hopefully get this resolved...

thanks,

-Luke

It sounds like your moving in the correct direction.

I dont recall keychain having issues in the past, although I know a number of changes have been done in 10.11 which could also alter the experience.

I eventually got thix fixed.  It was a certificate template issue with the RADIUS cert.  We signed it from our domain CA with the subordinate template.  We (Aruba and AirWatch) couldn't actually find anything wrong with it.... but I decided to re-sign with our web-server template and it fixed it.  After digging and comparing the two: we found that the web template added the feature of "key encipherment".  Apparently OS X was looking for that?  I dunno.  No clear or concise documentation from Apple of course.

Glad you were able to find a resolution to this!!!