User profile for user: dannyhuber
dannyhuber Author
User level: Level 1
0 points

Mac OS X & 802.1x Machine Authentication to Microsoft AD using PEAP

We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:


Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'

Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1

Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame

Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP

Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'

Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'

Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START

Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated


The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.

OS X Mountain Lion (10.8.3)

Posted on Apr 23, 2013 11:10 AM

Reply
3 replies
User profile for user: Clif H
Clif H
User level: Level 1
119 points

Feb 12, 2014 8:50 PM in response to dannyhuber

Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.

Glad you found resolution with a later version of the OS.


Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Mac OS X & 802.1x Machine Authentication to Microsoft AD using PEAP

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up