802.1x TLS (Machine certifcate) authentication in Snow Leopard
Hi,
In our company we are using 802.1x TLS authentication for WLAN and in some LAN ports. We are have been delivering machine certificate to our PCs for a while without problems and these are using the certificate to authenticate themselves before login to the network.
We would like to deliver the same user experience to mac users but we are having sever problems to configure them. Our mac users use Snow Leopard and the few references I found on the internet regarding 802.1x TLS authentication is for Leopard or previous versions, where the 802.1x and Keychain configuration is quite different.
We do have a proper machine certificate (with the correct usages, SAN, etc) and it´s related AD object provisioned. I have create the 802.1x profile as "User Prfile" and as a "System Profile" with the same results
I add the Client logs below but what I don´t understand id why the client is sending it´s going to use MSCHap when that is not the case.
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
Lastly the Keychain has also a weird behavior. If we import a Root CA in the "login" and/or "System" keychain, mark is as "always Trust" and later we import a certificate created by this Root CA, the keychain UI insist that the certificate "was signed by an unknown authority". For the logs below that does not seams the reason why the client is not able to use the 802.1x TLS but in any case that is a bug.
Client logs:
2010/05/14 10:37:12.872405 update_configuration
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>13</integer>
</array>
<key>Description</key>
<string>Automatic</string>
<key>EAPFASTProvisionPAC</key>
<true/>
<key>EAPFASTUsePAC</key>
<true/>
<key>TLSIdentityHandle</key>
<data>
[Removed]
</data>
<key>TLSTrustedCertificates</key>
<array>
<data>
[In here we have our Internal Root CA we use to create Machine certificate and also to create the certificate used in our IAS Server (the RADIUS)
</data>
</array>
<key>TLSVerifyServerCertificate</key>
<true/>
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
</dict>
</plist>
2010/05/14 10:37:12.968769 link up
2010/05/14 10:37:12.968862 Associated SSID [Removed SSID] BSSID [Removed BSSID]
2010/05/14 10:37:12.972850 Receive Packet Size 77
Ether packet: dest f8:1e:df:e4:88:5a source 0:11:5c:c7:14:90 type 0x888e
EAPOL: proto version 0x2 type EAP Packet (0) length 59
EAP Request (1): Identifier 1 Length 59
Identity (1)
length 59 - sizeof(*rd_p) 5 = 54
[Removed. In here there is our networkid,nasid and portid ]
2010/05/14 10:37:12.972955 Supplicant (main) status: state=Connecting
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ClientStatus</key>
<integer>0</integer>
<key>ConfigurationGeneration</key>
<integer>2</integer>
<key>DomainSpecificError</key>
<integer>0</integer>
<key>Mode</key>
<integer>1</integer>
<key>SupplicantState</key>
<integer>1</integer>
<key>Timestamp</key>
<date>2010-05-14T08:37:12Z</date>
<key>UniqueIdentifier</key>
<string>[Removed]</string>
</dict>
</plist>
2010/05/14 10:37:12.976795 EAP Request Identity
2010/05/14 10:37:12.976819 EAP Response Identity [Removed, in here there is the Machine name as appears in the SAN of the certificate ]
2010/05/14 10:37:12.976832 Transmit Packet Size 39
Ether packet: dest 0:11:5c:c7:14:90 source f8:1e:df:e4:88:5a type 0x888e
EAPOL: proto version 0x1 type EAP Packet (0) length 35
EAP Response (2): Identifier 1 Length 35
Identity (1)
length 35 - sizeof(*rd_p) 5 = 30
(Removed raw data with the SAN ]
2010/05/14 10:37:12.977530 Supplicant (main) status: state=Acquired
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ClientStatus</key>
<integer>0</integer>
<key>ConfigurationGeneration</key>
<integer>2</integer>
<key>DomainSpecificError</key>
<integer>0</integer>
<key>IdentityAttributes</key>
<array>
<string>networkid=[Removed our SSID]</string>
<string>nasid=[Removed our WLANC ID]</string>
<string>portid=29</string>
</array>
<key>Mode</key>
<integer>1</integer>
<key>SupplicantState</key>
<integer>2</integer>
<key>Timestamp</key>
<date>2010-05-14T08:37:12Z</date>
<key>UniqueIdentifier</key>
<string>[Removed]</string>
</dict>
</plist>
2010/05/14 10:37:13.022577 force renew
2010/05/14 10:37:13.025323 stop
* Does someone been able to use 802.1x TLS based authentication for Snow Leopard clients and is able to point me to the right direction?
* Does Apple provide any documentation for this? (all I found is that I should contact the "Network Administrator" to get the mac configured!!!))
* How can I make that a certificate issued by a "Private CA" is trsuted in Snow Leopard? All workarounds I found are not suitable for Snow Leopard
Thanks
Jofre
In our company we are using 802.1x TLS authentication for WLAN and in some LAN ports. We are have been delivering machine certificate to our PCs for a while without problems and these are using the certificate to authenticate themselves before login to the network.
We would like to deliver the same user experience to mac users but we are having sever problems to configure them. Our mac users use Snow Leopard and the few references I found on the internet regarding 802.1x TLS authentication is for Leopard or previous versions, where the 802.1x and Keychain configuration is quite different.
We do have a proper machine certificate (with the correct usages, SAN, etc) and it´s related AD object provisioned. I have create the 802.1x profile as "User Prfile" and as a "System Profile" with the same results
I add the Client logs below but what I don´t understand id why the client is sending it´s going to use MSCHap when that is not the case.
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
Lastly the Keychain has also a weird behavior. If we import a Root CA in the "login" and/or "System" keychain, mark is as "always Trust" and later we import a certificate created by this Root CA, the keychain UI insist that the certificate "was signed by an unknown authority". For the logs below that does not seams the reason why the client is not able to use the 802.1x TLS but in any case that is a bug.
Client logs:
2010/05/14 10:37:12.872405 update_configuration
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>13</integer>
</array>
<key>Description</key>
<string>Automatic</string>
<key>EAPFASTProvisionPAC</key>
<true/>
<key>EAPFASTUsePAC</key>
<true/>
<key>TLSIdentityHandle</key>
<data>
[Removed]
</data>
<key>TLSTrustedCertificates</key>
<array>
<data>
[In here we have our Internal Root CA we use to create Machine certificate and also to create the certificate used in our IAS Server (the RADIUS)
</data>
</array>
<key>TLSVerifyServerCertificate</key>
<true/>
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
</dict>
</plist>
2010/05/14 10:37:12.968769 link up
2010/05/14 10:37:12.968862 Associated SSID [Removed SSID] BSSID [Removed BSSID]
2010/05/14 10:37:12.972850 Receive Packet Size 77
Ether packet: dest f8:1e:df:e4:88:5a source 0:11:5c:c7:14:90 type 0x888e
EAPOL: proto version 0x2 type EAP Packet (0) length 59
EAP Request (1): Identifier 1 Length 59
Identity (1)
length 59 - sizeof(*rd_p) 5 = 54
[Removed. In here there is our networkid,nasid and portid ]
2010/05/14 10:37:12.972955 Supplicant (main) status: state=Connecting
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ClientStatus</key>
<integer>0</integer>
<key>ConfigurationGeneration</key>
<integer>2</integer>
<key>DomainSpecificError</key>
<integer>0</integer>
<key>Mode</key>
<integer>1</integer>
<key>SupplicantState</key>
<integer>1</integer>
<key>Timestamp</key>
<date>2010-05-14T08:37:12Z</date>
<key>UniqueIdentifier</key>
<string>[Removed]</string>
</dict>
</plist>
2010/05/14 10:37:12.976795 EAP Request Identity
2010/05/14 10:37:12.976819 EAP Response Identity [Removed, in here there is the Machine name as appears in the SAN of the certificate ]
2010/05/14 10:37:12.976832 Transmit Packet Size 39
Ether packet: dest 0:11:5c:c7:14:90 source f8:1e:df:e4:88:5a type 0x888e
EAPOL: proto version 0x1 type EAP Packet (0) length 35
EAP Response (2): Identifier 1 Length 35
Identity (1)
length 35 - sizeof(*rd_p) 5 = 30
(Removed raw data with the SAN ]
2010/05/14 10:37:12.977530 Supplicant (main) status: state=Acquired
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ClientStatus</key>
<integer>0</integer>
<key>ConfigurationGeneration</key>
<integer>2</integer>
<key>DomainSpecificError</key>
<integer>0</integer>
<key>IdentityAttributes</key>
<array>
<string>networkid=[Removed our SSID]</string>
<string>nasid=[Removed our WLANC ID]</string>
<string>portid=29</string>
</array>
<key>Mode</key>
<integer>1</integer>
<key>SupplicantState</key>
<integer>2</integer>
<key>Timestamp</key>
<date>2010-05-14T08:37:12Z</date>
<key>UniqueIdentifier</key>
<string>[Removed]</string>
</dict>
</plist>
2010/05/14 10:37:13.022577 force renew
2010/05/14 10:37:13.025323 stop
* Does someone been able to use 802.1x TLS based authentication for Snow Leopard clients and is able to point me to the right direction?
* Does Apple provide any documentation for this? (all I found is that I should contact the "Network Administrator" to get the mac configured!!!))
* How can I make that a certificate issued by a "Private CA" is trsuted in Snow Leopard? All workarounds I found are not suitable for Snow Leopard
Thanks
Jofre
MacBook Pro, Mac OS X (10.6.3)