Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
7573
Views
15
Helpful
1
Comments

How to make Macintosh to work for EAP-TLS

Jagdeep Gambhir
Level 10
Level 10

‎03-02-2011 02:42 PM - edited ‎02-21-2020 09:57 PM

Windows client authenticating fine but the for EAP-TLS/Machine authentication but the Macintosh client does not.

Background: The issue is due to the Windows client prepends a "host/" in front of the name on the certificate and the Macintosh client does not.

Macintosh client in failed authentication log on ACS.:
02/16/2011  07:28:53  Authen failed  xyz.domain.com Default Group  External user not found

Windows Client:
02/17/2011  07:29:52  Authen OK  host/xyz.domain.com Network-Switch.

How to configure MAC OS to work using EAP TLS. To make it work Cert should have,

The CN  as host/computername@domainname
The SAN as DNS=computername@domainname

The two names have to be different as shown above. To make this work we need the CN=host/ and the SAN name without the host/.

If we just used the existing ‘machine’ template in the Microsoft CA server, and changed the CN name we will not get any SAN name at all.

--> By default, a CA that is configured on a Windows Server 2003-based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate.

To get the SAN attribute in the certificate, on the Cert we need to run the following commands at a command prompt on the server that runs the Certification Authority service.

Press ENTER after each command.

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc”

--> Then generate and import a certificate that had the correct names.
--> Set up the ACS to use the SAN name as for the comparison and the “outer identity” as the username.


Reference Doc

http://support.microsoft.com/kb/931351

Regards,

~JG

Labels:
Comments
esink4601
Level 1
Level 1
‎11-16-2016 02:39 PM

I realize I'm posting on a 5 year old thread, but this is the only thing I've come across that meets my needs.

It makes sense to me that the CN on the cert must have host/ in it, but how do I configure the CA to hand out a cert with that string prefixing the rest of it?

Is this something that I have to do in Active Directory, or maybe when I Bind the Mac to AD?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents