10.8 Clients Not Connecting To EAP-TLS Wireless With w2k8 NPS

Standard

Earlier today we started to tighten up one of our wireless networks, moving from PEAP to EAP-TLS authentication. In testing on 10.9.x & win7 clients, all worked well. But when deploying the same config profile that connected the 10.9.x clients to a 10.8.x Mac, the device failed to authenticate.

The 10.8.x clients console log didn’t show much information, so I took a look on the NPS servers logs (which are not a pretty sight) & after a time we came to a solution.

Our NPS server is a w2k8 server, as such the logs can most often be found in C:\Windows\System32\LogFiles (for more information configuring these logs, please click here).

For each connection request you’ll see two entries (NOTE: We changed our log files properties format “DTS” as the xml format is the easiest for me to read). The top entry being the log of the “Connection Request Policies” the other, the “Network Policies.”

Each event holds quite a lot of detail, (luckily Microsoft have a TechNet article on how to interpret the logs here).

So in deciphering the logs, we found that the 10.8.x clients were failing with:

This yet again lead us to another TechNet article, which advised the following:

The user account that is specified in the User-Name attribute of the RADIUS message does not exist.

The 10.8.x Mac was bound to the domain & have a valid cert using the Machine template, so the message struck us as being a bit odd. But as the reason code description mentioned “User-Name” attribute we searched the logs for this value.

In each of the logs we found the “User-Name” attribute, below are examples:

10.8.x client:

10.9.x & win7 clients:

So it appears that the 10.8.x clients are passing to “User-Name” their FQDN name, as this value. This  “User-Name”  corresponds with the AD Computer Objects RecordName attribute. If you have a look at this attribute (such as by using Directory Utility), you’ll see that it’s value is in the same format as the attributes passed to the “User-Name” attribute to NPS by 10.9.x & win7 clients.

This now makes sense of the earlier error description.

But how to correct this behaviour?

I played around with separate profiles for the 10.8.x clients, but stumbled across something that the NPS can do itself. Enter “Connection request policies” & it’s option: “Attribute Manipulation.” (This can be found under the “Connection request policies” > Settings > Attributes).

This enables you to take the value of the “User-Name” attribute & manipulate the text string.

We entered the below, after which the resulting connections requests “User-Name” attribute from 10.8.x clients was correctly formatted.

Attribute Manipluation

This has been submitted to Apple under the ID: 16964003.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.