Apple mac and 802.1x

[Dieselboy]

I have great 802.1X via Windows

Apple mac - it is working but I have a couple of issues:
1. every time the user logs in, they are prompted to accept the RADIUS servers certificate
2. Before the user is logged in, it's impossible to manually connect to the wifi (so first log in must be via cable where 802.1x is not in use).

The ROOT CA cert is installed in the system keychain and trusted. I thought this would have been enough to resolve issue 1 but this cert was always installed and the message keeps prompting. I've installed the RADIUS server certs and they are also trusted but the message continues.

For the other point, I Think I need to use mac os server to create a wifi profile, but dont have access to this software at the moment so cant check / try.

Any tips from the forum?

[SimonV]

The DNS entry in the certificate checks out? Does it have the correct SANs with the IP address?

[Dieselboy]

The entries in the cert are:
1. FQDN dns of RADIUS server
2. netbios name "DOMAIN"
3. internal sub.domain.com

No ip address... IS the mac connecting via IP and failing validation? Thought it was validating the domain?

[SimonV]

What kind of EAP are you using? PEAP (username/password) or EAP-TLS (client certificate)?
Have you installed the full CA chain, including all intermediates?

When it prompts you with the cert, doesn't it say why it's not trusted? Sorry, I never dealt with Macs for dot1x.

[Dieselboy]

I'm using PEAP but EAP-TLS is also set up and works from Windows clients.

Mac doesnt say why the cert is prompted. Initially, the default cert provided to the clients has one SAN and it's the FQDN of the RADIUS server. I thought the Mac was trying to validate either the short domain name of DOMAIN or the domain of sub.domain.com, So I recreated the certs using a custom template in AD but same issue...

It's just one of those annoying things

[deanwebb]

Is there a root + intermediate + server cert chain you also have to load on the RADIUS server?