Welcome to the MacNN Forums.

andrew davidoff · Dec 31, 2004, 12:35 AM

hey guys,

first off let it be known that i've called apple care twice about this issue and both times i was told by 2nd level techs that i'd need enterprise level support to help me out. i don't know about you, but i can't afford that.

for a while now i've been trying to get 802.1x working under 10.3.x. i'm currently running 10.3.7.

here's the low down: where i work we use 802.1x authentication for our wireless network. we auth based off of TLS capable x509 certs.

under windows you simply import your dot1x user cert (which is TLS capable and signed by our CA), import our CA, configure the wireless network (ssid) to use that cert, and it "just works".

under 10.3.x (currently 10.3.7) this is what's happening: i have imported my dot1x cert and our CA into both my X509Anchors keychain and the system keychain. i know the CA is installed properly because safari recognizes certs signed by it, and i can only assume my dot1x cert is installed correctly because i imported it the same way.

if i configure a dot1x connection in internet connect i am unable to chose TLS auth, which is what i need. i get the error that i don't have any certs that are capable of doing TLS, but i know my dot1x cert can. not only is this information available by dumping the cert info with the openssl binary, but i have installed and used this same exact cert, which i created myself (i'm a sysadmin), on a windows box and it worked.

so i have a few issues, but right now the root issue is this: why does internet connect keep telling me i don't have a TLS capable cert installed? is it actually searching all keychains, or do i need to create a special one for dot1x?

i can't find documentation on this anywhere, and as stated apple care says no one can help me except enterprise level support, and i don't have, nor will i be able to afford, an enterprise level service contract.

any ideas?

thanks.
andrew davidoff

andrew davidoff · Jan 4, 2005, 04:29 AM

*bump* to keep it on the 1st page a bit longer. hopeless, i know.

andy

jguidroz · Jan 4, 2005, 10:18 PM

Although I use TTLS on my network, I did have TLS working for a while. Of course I did this with my own generated certificates, but all I had to do was copy over a .p12 file I created when creating my client certificate and then double click on it for it to get added to Keychain Access. After that, I was able to configure TLS support in Internet Connect just fine.

I got my info from http://homepage.mac.com/andreaswolf/public/wpaeap.html

I also have instructions up at http://home.sw.rr.com/jguidroz/radius.html for freeradius, open directory, and EAP-TTLS.

andrew davidoff · Jan 5, 2005, 02:51 AM

Originally posted by jguidroz:
Although I use TTLS on my network, I did have TLS working for a while. Of course I did this with my own generated certificates, but all I had to do was copy over a .p12 file I created when creating my client certificate and then double click on it for it to get added to Keychain Access. After that, I was able to configure TLS support in Internet Connect just fine.

I got my info from http://homepage.mac.com/andreaswolf/public/wpaeap.html

I also have instructions up at http://home.sw.rr.com/jguidroz/radius.html for freeradius, open directory, and EAP-TTLS.

thank you for the links. this is the first decent documentation i have found. i will look this over and try some more stuff.

thanks again.
andrew davidoff

jguidroz · Jan 5, 2005, 12:57 PM

Originally posted by andrew davidoff:
thank you for the links. this is the first decent documentation i have found. i will look this over and try some more stuff.

thanks again.
andrew davidoff

I know the feeling. It took me a while to track down information on how to set this all up on Mac OS X, so I figured might as well put up the steps that worked for me to help others.