Meraki

Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

802.1x Machine based certificate authentication on Apple MacOS devices

AshMead
Getting noticed
‎Feb 28 2020 8:11 AM
‎Feb 28 2020 8:11 AM

802.1x Machine based certificate authentication on Apple MacOS devices

I cannot get machine based authentication to work on MacOS devices. This is using my RADIUS server. The RADIUS server does not accept the machine certificates.

 

It is fine on Windows and fine with user authentication.

 

Just wondering if anyone else has had similar issues?

 

 

0 Kudos
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 28 2020 2:10 PM
‎Feb 28 2020 2:10 PM

Apple is outside my area.

 

Start with your RADIUS server log.  Does it say it has permitted the connection?

If it denied the connection - what reason has it logged?

If it permitted the connection then turn your attention to the iOS device.

 

What error is the iOS device permitting?  Does it need a root certificate installed to trust your RADIUS server certificate?

In response to PhilipDAth
AshMead
Getting noticed
‎Mar 3 2020 3:40 AM
‎Mar 3 2020 3:40 AM

Hi @PhilipDAth 

 

It looks like I have I have the same issue as discussed in https://community.meraki.com/t5/Wireless-LAN/Windows-Radius-vs-Meraki-Radius-with-Win-7-Win-10-macOS...

 

There you suggest the Sentry Wi-Fi solution, however would this be not encrypted over the air?

 

Using EAP-TLS I get the same issue where the certificate is not accepted on the MacOS devices and user is prompted for login credentials.

 

Ideally we would like both MacOS and Windows devices on the same SSID, authentication by machine with no need to enter credentials each time.

 

Is there an accepted solution?

0 Kudos
JohnT
Getting noticed
‎Mar 2 2020 10:00 AM
‎Mar 2 2020 10:00 AM

I'm not sure this is possible.  I solved this by authenticating the "user" AND the "mac address" of the device in radius.

 

You may want to take a look at this thread:  https://community.meraki.com/t5/Wireless-LAN/iOS-and-WPA2-with-Radius-Authentication/m-p/58804#M8834

 

-John

In response to JohnT
AshMead
Getting noticed
‎Mar 3 2020 2:04 AM
‎Mar 3 2020 2:04 AM

I am clearly not an apple expert! Sorry I failed to specify this is MacOS devices not iOS devices. I have now updated the post. Thanks for you help though!

0 Kudos
In response to AshMead
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 3 2020 11:43 PM
‎Mar 3 2020 11:43 PM

I think it will be particularly tricky to do machine based authentication for Mac devices.

 

I suspect you will need to deploy certificates to the Mac machine accounts somehow, and use certificate based authentication.

0 Kudos
In response to PhilipDAth
Phil_G
Conversationalist
‎Dec 14 2020 9:45 AM
‎Dec 14 2020 9:45 AM

https://support.apple.com/guide/mdm/shared-ipad-and-8021x-networks-mdm19659e20e/web

 

I think this should tackle the certificate deployment.

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.