Solved: No Radius Accounting Session For Mac
Hi Everyone, I'm seen exact the same behaviour. There is no accounting when I'm using server-derived roles.
Welcome to my tale of woe. I've been struggling to get this working properly in order to roll it out to our Mac laptops. In a nutshell, Macs running Mountain Lion are bound to Active Directory. Then they are enrolled into Apple's Profile Manager. The mobile profile contains the info needed to obtain a machine certificate from the Enterprise CA (Server 2008 R2 Enterprise) and configure Wireless and Wired interfaces for 802.1X machine authentication. At this point I have a Mac with a machine certificate from the Active Directory CA.
Unfortunately 802.1X still doesn't work. Opening up System Preferences Network and clicking on the Connect/Disconnect button by the 802.1X configuration a couple times will get the Mac to bring up a prompt to select the certificate and enter a username.
I select the certificate machine certificate obtained from AD and enter COMPUTERNAME$ as the username. And now the Mac authenticates and gets and IP address. Great, but my troubles don't end here.
If the Mac is rebooted I have to log in under a network account, go to System Preferences Network and hit the connect/disconnect button again. Then I can log off the local account and network users can login. I opened Keychain Access and found that entries for the wired and wireless networks were created showing COMPUTERNAME$ as the username.
Ah ha I thought to myself! I copied these entries from the login keychain to System keychain, crossed my fingers and rebooted. Same problem. I'm also noticing that authentication seems to fail and the Mac loses it's IP address. Back to the Connect/Disconnect routine in System Preferences Network. Anyone out there dealing with this and having success?
It seems like I'm so close to having this working. We have 802.1X working with user/pass, but we want to do machine authentication with certificates instead. I did get it figured out.
Solved: No Radius Accounting Session For Mac Pro
I needed to create a new certificate template on the Enterprise CA and have the CA put the computer's UPN into the certificate issued to the Mac. After that, 802.1X authentication worked as expected on Ethernet. Then we discovered our wireless controller issuing a self signed cert and the Macs weren't trusting it. Outer network admin is replacing it with a cert signed by the Windows CA over the weekend, hopefully that will be the end of this and can roll it out inQ1 2013. Here's the article that got me pointed in the right direction. We have 802.1X working with user/pass, but we want to do machine authentication with certificates instead.
I did get it figured out. I needed to create a new certificate template on the Enterprise CA and have the CA put the computer's UPN into the certificate issued to the Mac. After that, 802.1X authentication worked as expected on Ethernet. Then we discovered our wireless controller issuing a self signed cert and the Macs weren't trusting it. Outer network admin is replacing it with a cert signed by the Windows CA over the weekend, hopefully that will be the end of this and can roll it out inQ1 2013. Here's the article that got me pointed in the right direction. Hi AndrewZ, I know this is an old thread, but did you ever this this going?
I'm running into a similar challenge. I've got a new AD certificate template created, and it is putting the in there correctly. I can see it in the 'Subject Alternative Name' area when I view the certificate in Keychain Access on the Mac. The Mac is also trusting my RADIUS server. The issue I'm running into seems to be something with my RADIUS server, which is a Meru Networks Identity Manager (IDM) virtual appliance. It appears to somehow be sending the as a username instead of a computer name, and AD can't find that 'user'.
What RADIUS server are you using? Or are you using something built-in to your wireless controller? We're using Aruba wireless. I did get it working, but getting it deployed is still on hold for lack of a Mac managment solution. Not relevant though.:) My Certificate Authority is a Windows Server 2008 R2 Enterprise server. RADIUS is also running on Windows (I think Microsoft calls it Network Policy Server or NPS, or something like that.
Anyway, RADIUS is on Windows.) is the username you should be passing to Windows if domain.com is the name of your Active Directory. If your AD is corp.domain.local you would want in the SAN on the certificate. Also make sure you're getting the CA's public key installed into the System Keychain on your Mac. If you're CA is a Windows server you should be able to get that by going to and downloading the public key served up through the site. Hope that helps.
Thanks, AndrewZ! I followed Mike Boylan's article (the afp548 web site listed above), and have been working with him as well. We do have a separate internal domain name, and the 'domain.com' name I gave above was just an example. It's actually the internal AD domain name, not the external DNS domain name. I'm using Apple Profile Manager on a Mountain Lion server to create a.mobileconfig file, which is then imported onto a (Mountain) Lion client. The AD certificate gets installed with no problem, as does the certificate from the RADIUS server.
(Our RADIUS server is a Meru Networks Identity Management (IDM) virtual appliance.) When I look at the certificate in Keychain Access, the Subject Alternative Name field is present and shows correctly (computername$@local-ad-domainname). But somehow, the Meru RAIDUS server isn't passing that name through properly to AD, and AD thinks it's receiving a username instead of a computer name. Out of curiosity, what type of wireless system are you using? We're using Aruba.
The Meru IDM is not vendor-specific, i.e. It can interface with many different wireless vendors (including their own, of course). One thing that it does is, based on what group a user belongs to, it places the user into a specific role on the Aruba controller, which then defines what firewall policies are assigned to it. For example, students (we're a school district) get placed into a role with less access than staff. Can Windows NPS do that as well? I haven't seen anything like that in NPS, but I haven't experimented with it very much, either. If it could do that, perhaps I could just use that and forget the Meru IDM altogether?
I believe Windows NPS can do what you're trying to do, though I don't know how off the top of my head. We're all Cisco for wireless and wired switches. You do need a Windows Server 2008 R2 Enterprise Edition to run the Certificate Authority for the all Windows solution. Not sure if you can do it in Server 2012 Standard or if you need Datacenter. (No more Enterprise edition in Server 2012.) Eventually we'll get this rolled our to the Macs and start doing authentication for the wired network.
I need to fix SCEP on the CA to get the Cisco APs proper certificates before the Macs will authenticate with them. Currently the Cisco APs are using self signed certs with no CA signature. Windows doesn't seem to care, but the Macs do. (sigh.) I found Profile Manager to be unsuitable for our needs, it's really a BYOD solution as I need to do more management than just the 802.1X profile.
Trying to get Casper Suite approved, but might get stuck with Absolute Manage due to cost and other pressures. I'm not liking Absolute Manage myself and it takes a workaround to get 802.1X working. (Bug confirmed by support, sigh again) and forces a Mac server into our infrastructure that isn't setup to deal with Mac servers. (sigh yet again.). Will 2008 (not R2) Enterprise work? We have 3 domain controllers in our environment: A 2008 Standard, a 2003 Enterprise, and a 2008 Enterprise (32-bit, not R2). The 2003 server houses all of the FSMO roles.
The 2008 server was set up originally just to be a 3rd domain controller (it was originally Standard as well), but we upgraded it to Enterprise so it could be a CA. I'm trying out NPS right now to see how it works out. I've seen a few articles on the Aruba Airheads discussion forum, too, so maybe those will help. DavidCSG wrote: @ AndrewZ: in terms of a Mac management solution, get Apple Remote Desktop on your Mac workstation, no? Only $80.00 from the App Store, and well worth it. Other than that - if Casper doesn't happen, I'd be curious to hear (not here in this thread per se) how/why Absolute isn't working for you.
Otherwise, what about Munki in a VM? Apple Remote Desktop only does so much. All of the computers in our environment are laptops, so they roam around and connect via VPN a lot. Beyond a somewhat reliable remote support tool it didn't meet the needs.
Casper has been up and running since November. In testing of Absolute I discovered a bug in their implementation of Profile Manager where it would not apply the certificate obtained from ADCS to the 802.1x profile.
I'm told this was fixed thanks to my bug report, but the fix came in after we made our Casper purchase. While working with Absolute support they asked me to export the private key for my CA and add it to Absolute. I them why that was a horrible idea to compromise my CA in that fashion. Needless to say I was not impressed. There were other security factors in the decision not to go with Absolute as well. (Custom database attributes to setup Filevault 2 and escrow the key, where Casper had that built in and properly encrypts the escrow keys, etc.
Various reports needed by our Security & Compliance officers that are built in in Casper but require custom attributes in Absolute.) Casper cost more but saves more time in man hours required. As for Munki, I considered it, but again ran into the time issue. We don't have any. Looked like lots of devops work would be needed to get what we needed out of Munki/Puppet/whatever. Seb8625 wrote: @AndrewZ So what do you actually have setup in NPS? Connection Policy Request / Settings tab / Authentication methods Network Policy / (used policy) /Condition tab Network Policy / (used policy) / Constrains tab / Authentication methods From the error I am getting it does not even get as far as Network Policy Seb Connection Policy Request / Settings tab / Authentication methods Nothing set here, not overriding the network policy.
Using Network Policies. Network Policy / (used policy) /Condition tab Condition NAS Port Type Ethernet. Network Policy / (used policy) / Constrains tab / Authentication methods Authentication Methods: Microsoft: Smart card or other certificate. Edit option, select Public cert of the NPS server, not AD CA. That's it for policy other than configuring the WAPs to check the RADIUS (NPS) server. And if I configure CRP without override then I get: Authentication Details: Connection Request Policy Name: NAP 802.1X (Wireless) Network Policy Name: SP-Internal Mac Authentication Provider: Windows Authentication Server: DNS server name Authentication Type: EAP EAP Type: Microsoft: Smart Card or other certificate Account Session Identifier: - Logging Results: Accounting information was written to the local log file. Reason Code: 23 Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP).
Check EAP log files for EAP errors.