Apple mac and 802.1x

Started by Dieselboy, July 01, 2019, 09:56:52 PM

Previous topic - Next topic

Dieselboy

I have great 802.1X via Windows

Apple mac - it is working but I have a couple of issues:
1. every time the user logs in, they are prompted to accept the RADIUS servers certificate
2. Before the user is logged in, it's impossible to manually connect to the wifi (so first log in must be via cable where 802.1x is not in use).

The ROOT CA cert is installed in the system keychain and trusted. I thought this would have been enough to resolve issue 1 but this cert was always installed and the message keeps prompting. I've installed the RADIUS server certs and they are also trusted but the message continues.

For the other point, I Think I need to use mac os server to create a wifi profile, but dont have access to this software at the moment so cant check / try.

Any tips from the forum?

SimonV

The DNS entry in the certificate checks out? Does it have the correct SANs with the IP address?

Dieselboy

The entries in the cert are:
1. FQDN dns of RADIUS server
2. netbios name "DOMAIN"
3. internal sub.domain.com

No ip address... IS the mac connecting via IP and failing validation? Thought it was validating the domain?

SimonV

What kind of EAP are you using? PEAP (username/password) or EAP-TLS (client certificate)?
Have you installed the full CA chain, including all intermediates?

When it prompts you with the cert, doesn't it say why it's not trusted? Sorry, I never dealt with Macs for dot1x.

Dieselboy

I'm using PEAP but EAP-TLS is also set up and works from Windows clients.

Mac doesnt say why the cert is prompted. Initially, the default cert provided to the clients has one SAN and it's the FQDN of the RADIUS server. I thought the Mac was trying to validate either the short domain name of DOMAIN or the domain of sub.domain.com, So I recreated the certs using a custom template in AD but same issue...

It's just one of those annoying things :)

deanwebb

Is there a root + intermediate + server cert chain you also have to load on the RADIUS server?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.