EAP-TLS for Non-Windows Clients

Discussion in 'Wireless Networking' started by Dallas512, Aug 4, 2008.

  1. Dallas512

    Dallas512 Guest

    I have the following configuration:

    - Server 2003 R2 SP2 Enterprise CA which is our AD
    - IAS Server configured with Remote Access Policies configured for EAP
    - Windows XP Clients with root certificate installed and using computer
    certificates that are automatically enrolled (registry changes implemented as
    referred in [1])

    All Windows XP and Vista based clients can connect properly to the EAP-TLS
    wireless network.

    I'm attempting to configure Active Directory bound Mac clients taking
    instructions from [2] and porting them for use with a Microsoft CA. This
    process involves the following:

    - Creating a CSR from the Mac
    - Visting the CA web interface (as an admin), choosing 'Advanced request',
    then using the CSR with various templates.
    - Exporting the cert
    - Recompiling the cert on the Mac to join the private key and certificate
    - Installing into the Keychain

    When attempting to authenticate, I receive the following result in our
    RADIUS applog:

    User hostname.domainname.com was denied access.
    Full-Qualified-User-Name = DOMAIN\hostname.domain.com
    --Other RADIUS Data
    Reason: The specified user account does not exist

    When Windows clients work, they resolve to host/hostname.domainname.com and
    authenticate okay.

    I have tried the following approches to no success:

    - Generating CSR and using certificate with a subject of
    - Generating an SPN for the computer with the proper name
    - Rewriting the User-Name in RADIUS using Connection Request Policies

    I think the problem boils down to the lack of association between the CSR
    (and cert) and the computer account. Has anybody been able to make
    non-Windows (or non domain joined clients) work with EAP-TLS? Any advice?

    Thanks in advance for your help.

    [2] http://www.felipe-alfaro.org/blog/2006/01/29/wpa2-eap-tls/
    Dallas512, Aug 4, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.