1 Reply Latest reply: May 14, 2010 8:18 AM by Jofre
Jofre Level 1 Level 1 (0 points)
Hi,
In our company we are using 802.1x TLS authentication for WLAN and in some LAN ports. We are have been delivering machine certificate to our PCs for a while without problems and these are using the certificate to authenticate themselves before login to the network.

We would like to deliver the same user experience to mac users but we are having sever problems to configure them. Our mac users use Snow Leopard and the few references I found on the internet regarding 802.1x TLS authentication is for Leopard or previous versions, where the 802.1x and Keychain configuration is quite different.

We do have a proper machine certificate (with the correct usages, SAN, etc) and it´s related AD object provisioned. I have create the 802.1x profile as "User Prfile" and as a "System Profile" with the same results


I add the Client logs below but what I don´t understand id why the client is sending it´s going to use MSCHap when that is not the case.

<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>

Lastly the Keychain has also a weird behavior. If we import a Root CA in the "login" and/or "System" keychain, mark is as "always Trust" and later we import a certificate created by this Root CA, the keychain UI insist that the certificate "was signed by an unknown authority". For the logs below that does not seams the reason why the client is not able to use the 802.1x TLS but in any case that is a bug.

Client logs:

2010/05/14 10:37:12.872405 update_configuration
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>13</integer>
</array>
<key>Description</key>
<string>Automatic</string>
<key>EAPFASTProvisionPAC</key>
<true/>
<key>EAPFASTUsePAC</key>
<true/>
<key>TLSIdentityHandle</key>
<data>

[Removed]

</data>
<key>TLSTrustedCertificates</key>
<array>
<data>

[In here we have our Internal Root CA we use to create Machine certificate and also to create the certificate used in our IAS Server (the RADIUS)
</data>
</array>
<key>TLSVerifyServerCertificate</key>
<true/>
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
</dict>
</plist>
2010/05/14 10:37:12.968769 link up
2010/05/14 10:37:12.968862 Associated SSID [Removed SSID] BSSID [Removed BSSID]
2010/05/14 10:37:12.972850 Receive Packet Size 77
Ether packet: dest f8:1e:df:e4:88:5a source 0:11:5c:c7:14:90 type 0x888e
EAPOL: proto version 0x2 type EAP Packet (0) length 59
EAP Request (1): Identifier 1 Length 59
Identity (1)
length 59 - sizeof(*rd_p) 5 = 54

[Removed. In here there is our networkid,nasid and portid ]

2010/05/14 10:37:12.972955 Supplicant (main) status: state=Connecting
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ClientStatus</key>
<integer>0</integer>
<key>ConfigurationGeneration</key>
<integer>2</integer>
<key>DomainSpecificError</key>
<integer>0</integer>
<key>Mode</key>
<integer>1</integer>
<key>SupplicantState</key>
<integer>1</integer>
<key>Timestamp</key>
<date>2010-05-14T08:37:12Z</date>
<key>UniqueIdentifier</key>
<string>[Removed]</string>
</dict>
</plist>
2010/05/14 10:37:12.976795 EAP Request Identity
2010/05/14 10:37:12.976819 EAP Response Identity [Removed, in here there is the Machine name as appears in the SAN of the certificate ]
2010/05/14 10:37:12.976832 Transmit Packet Size 39
Ether packet: dest 0:11:5c:c7:14:90 source f8:1e:df:e4:88:5a type 0x888e
EAPOL: proto version 0x1 type EAP Packet (0) length 35
EAP Response (2): Identifier 1 Length 35
Identity (1)
length 35 - sizeof(*rd_p) 5 = 30
(Removed raw data with the SAN ]


2010/05/14 10:37:12.977530 Supplicant (main) status: state=Acquired
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ClientStatus</key>
<integer>0</integer>
<key>ConfigurationGeneration</key>
<integer>2</integer>
<key>DomainSpecificError</key>
<integer>0</integer>
<key>IdentityAttributes</key>
<array>
<string>networkid=[Removed our SSID]</string>
<string>nasid=[Removed our WLANC ID]</string>
<string>portid=29</string>
</array>
<key>Mode</key>
<integer>1</integer>
<key>SupplicantState</key>
<integer>2</integer>
<key>Timestamp</key>
<date>2010-05-14T08:37:12Z</date>
<key>UniqueIdentifier</key>
<string>[Removed]</string>
</dict>
</plist>

2010/05/14 10:37:13.022577 force renew
2010/05/14 10:37:13.025323 stop


* Does someone been able to use 802.1x TLS based authentication for Snow Leopard clients and is able to point me to the right direction?
* Does Apple provide any documentation for this? (all I found is that I should contact the "Network Administrator" to get the mac configured!!!))
* How can I make that a certificate issued by a "Private CA" is trsuted in Snow Leopard? All workarounds I found are not suitable for Snow Leopard

Thanks
Jofre

MacBook Pro, Mac OS X (10.6.3)
  • Jofre Level 1 Level 1 (0 points)
    Hi,
    some updates, besides the keytools UI issue and the strange logs seams that the request is reaching the RADIUS, a Windows IAS Server.

    If we compare a PC and A MAc we have the follwoing.
    PC:
    1 0.000000 IntelCor_c1:49:69 Cisco_c7:14:90 EAPOL Start
    2 0.030210 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748]
    3 0.034350 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748] (Repeated)
    4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
    5 0.135258 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748] (Repeated)
    6 0.142715 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, EAP-TLS [RFC5216] [Aboba]
    7 0.196988 IntelCor_c1:49:69 Cisco_c7:14:90 TLSv1 Client Hello
    8 0.213640 Cisco_c7:14:90 IntelCor_c1:49:69 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
    Continues OK

    While on a Snow Leopard are:
    44 39.196967 Apple_e4:88:5a Cisco_c7:14:90 EAPOL Start
    45 39.201062 Cisco_c7:14:90 Apple_e4:88:5a EAPRequest, Identity [RFC3748]
    46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
    47 39.209543 Cisco_c7:14:90 Apple_e4:88:5a EAPFailure

    after analizin the network traces we see that the different is on the 3rd EAP Packet:

    PC:
    4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAP Response, Identity [RFC3748]
    802.1X Authentication
    Version: 1
    Type: EAP Packet (0)
    Length: 40
    Extensible Authentication Protocol
    Code: Response (2)
    Id: 1
    Length: 40
    Type: Identity [RFC3748] (1)
    Identity (35 bytes): host/SAN-NAME01.INTERNALDOMAIN.COM

    Mac Snow Leopard:
    46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAP Response, Identity [RFC3748]
    802.1X Authentication
    Version: 1
    Type: EAP Packet (0)
    Length: 35
    Extensible Authentication Protocol
    Code: Response (2)
    Id: 2
    Length: 35
    Type: Identity [RFC3748] (1)
    Identity (30 bytes): SAN-NAME01.INTERNALDOMAIN.COM

    that difference prevents our RADIUS (IAS Server) to authenticate the device properly, with the error:

    User SAN-NAME01.INTERNALDOMAIN.COM was denied access.
    ..
    Policy-Name = <undetermined>
    Authentication-Type = EAP
    EAP-Type = <undetermined>
    Reason-Code = 8
    Reason = The specified user account does not exist.

    while in the PC case we have:
    PC:
    User host/SAN-NAME02.INTERNALDOMAIN.COM was granted access.
    ..
    Policy-Name = Allow Wireless Lan Access With Certificate
    Authentication-Type = EAP
    EAP-Type = Smart Card or other certificate


    * Question1: Is there a way to ensure that the Snow Leopard added the "host/" at the begining of the Identity?
    * Question2: Did someone been able to connect a Snow Leopard to a WLAN protected with 802.1x using TLS?

    Thanks
    Jofre