PEAP Wireless Access for Mac OS X

From: Steven Kane (StevenKane_at_discussions.microsoft.com)
Date: 01/17/05

  • Next message: Eric: "Free Mac Mini" 
    Date: Mon, 17 Jan 2005 08:01:07 -0800

    We are using a Micrsoft IAS server as our Radius authority, and are
    attempting to set up PEAP authentication for our wireless network. On a PC,
    the setup seems to work perfectly: the computer sees the wireless network,
    attempts to authenticate, accepts our certificate and the user is prompted
    for their network username and password.

    On a Mac OS 10.3.7 computer, however, the computer sees the wireless network
    and although we specify an 802.1x connection, the Mac does not prompt to
    accept the certificate but rather immediately rejects the computer. This is
    the error that shows up in the Event Log for the IAS server:

    *************************************
    User username was denied access.
     Fully-Qualified-User-Name = GARNET\username
     NAS-IP-Address = 10.10.10.10
     NAS-Identifier = ap
     Called-Station-Identifier = xxxx.xxxx.xxxx
     Calling-Station-Identifier = xxxx.xxxx.xxxx
     Client-Friendly-Name = AP PEAP Test
     Client-IP-Address = 10.10.10.10
     NAS-Port-Type = Wireless - IEEE 802.11
     NAS-Port = 266
     Proxy-Policy-Name = Use Windows authentication for all users
     Authentication-Provider = Windows
     Authentication-Server = <undetermined>
     Policy-Name = Allow Wireless PEAP Access (Test 1)
     Authentication-Type = PEAP
     EAP-Type = <undetermined>
     Reason-Code = 16
     Reason = Authentication was not successful because an unknown user name or
    incorrect password was used.
    *******************************************

    We are using a self-signed certificate, and the goal is to get the Mac to
    prompt users to accept the certificate and then authenticate to our IAS
    server. The Mac does work when we download the certificate, transfer it to
    the computer, and import it into the keychain, but we are trying to avoid
    forcing the user to connect to the wired network before using the wireless
    network.

    If anyone has any suggestions, we would love to hear about them.

  • Next message: Eric: "Free Mac Mini"

    Relevant Pages

    • Re: PEAP-TLS vs EAP-TLS
      ... It covers the deployment of PEAP with digital certificates (what you are ... PEAP-TLS as MS docs pretty much all were about PEAP-MSCAHPV2 or generally ... Of course user certificate authentication used in PEAP-TLS ...
      (microsoft.public.windows.server.security)
    • Re: PEAP-TLS vs EAP-TLS
      ... and PEAP is that PEAP is a two-step process where 1) the RADIUS server is ... authenticated to the client via the RADIUS server's certificate, ... encrypted TLS channel is set up for 2) client authentication (either using ... But I wonder how much more secure PEAP-TLS is than EAP-TLS, ...
      (microsoft.public.windows.server.security)
    • RE: PEAP based 802.1x LAN authentication
      ... Authentication, EAP Methods. ... Do you have PEAP added here? ... edit and make sure the certificate that you want to use is selected. ... the server certificate is now stored in "Personal " ...
      (Focus-Microsoft)
    • Re: PEAP-TLS vs EAP-TLS
      ... When using PEAP (either MSCHAPv2 or digital ... When using PEAP-MSCHAPv2 the only certificate required on the client is the ... authentication and tunnels another authentication protocol inside the TLS ...
      (microsoft.public.windows.server.security)
    • XPSP2 Wireless Network Startup with IAS and PEAP Auth.
      ... We have now successfully configured wireless network access over WPA, IAS ... The problem we have now is that despite we have a successfull computer ... authentication on IAS, ...
      (microsoft.public.internet.radius)