802.fail

[Jtopoleski]

It always seems that when you try to do things the right way, everything conspires against you. In this situation its 802.1x

We just got in a 25 macbook laptop cart (+ Airport Extreme) and trying to get 802.1x configured on these machines is making want to kill. We set up the RADIUS server, the Airport is seeing it fine, but I cant for the life of me get it to work right on these machines and there is so little 802.1x info out for Leopard I am at my wits end. To start it off we have all the most recent updates for 10.5.6

Whats going on is on our PC laptops, they see the wireless, authenticate to 802.1x using their domain credentials, then upon login pass on to the user credentials.

On the macs, this is not happening even with them being joined to the domain. I used the login window profile thinking this would be what I needed, but even with the certificate added to login AND system keychains, I still get

[b]Your computer cannot access the secure network.[/b] The 802.1x authentication server’s certificate is not trusted. Contact your network administrator for more information.

This becomes a major issue because unless the account is created connected to ethernet, I cannot create a account since its not joined to the wireless at login. Likewise because of this they are not seeing Open Directory and thus not getting management commands on login nor is Kerberos being configured correctly on login since they are not seeing AD and getting their info from the stored mobile account so while it usually works it fails just as often.

What am I doing wrong, or is it something on our backend that I need to have fixed?

To compound this, when I do login, we are even having some issues with the user profile created for the person. Wireless is almost always getting a self-assigned IP unless I turn off then turn on airprort, and despite having the info stored to the profile occasionally will ask for the username and password for 802.1x anyway.

edit: meant to add, yes the certificate added to both login and system is completely trusted, and was taken directly from the certificate store, which is another interesting thing I noticed, if I got a cert upon joining 802.1x it only lasted a month, but the cert actually on the server lats till 2013.

[cidboy]

We have the same problem here. The certificate is trusted and under system in keychain. We don’t know how to make it work either. We always get the popup message on the login wndow that says that the certificate is not trusted.

If someone can help it would be life saving. 😐

[Jtopoleski]

My rep gave me a contact at Apple and we are trying to get to the bottom of it now, I’ll let you know what we figure out.

[ingenious7]

I had this same problem. When I set it to always trust it worked fine.

[tegbains]

I hate saying this, but it’s Apple’s fault in the way they played around with FreeRADIUS in 10.5 server.

I believe, that in order to use 802.1X easily Apple is using TTLS, which means your server needs a Certificate. If you use a self-signed cert, that your Mac clients will, correctly, not trust it. So you go and buy a certificate. Download it and install it into the System keychain on your server. The web server sees it. But RADIUS will sometimes have a spazz over the certificate. And even with a trusted cert, your clients can still complain if the certificate chain didn’t get installed correctly on the server with RADIUS.

If you add the certificate to the System keychain manually on your Mac laptops and tell it to always trust the cert, then it will make your life easy. Not the correct way to do it, but…

Or use Electron’s Radius server…

[ingenious7]

I did purchase a certificate, but had major problems getting it installed to the server. I didn’t realize you had to install the cert to the local server system keychain. I was trying to install it from Server Admin. I’ve since put the certificate to good use on my Ubuntu Apache Moodle server.

I have had no problems using a self-signed certificate with the RADIUS server, except for when I forgot to set the trust correctly.

[Author]

Posts