cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

788
Views
15
Helpful
5
Replies
Highlighted
Beginner

EAP TLS - Apple mac is not authenticating

Hi All,

We are trying to implement certificate based authentication. ISE as radius server & Local CA for certificate push to clients. Now Windows laptops are able to authenticate successfully whereas Apple mac are not. In ISE we see error as "12521 EAP TLS failed SSL/TLS handshake after a client alert". Wondering with the same certificate windows is able to connect which says certificate chain is good (right?) but why MAC is not ? Based on error log i assume this is because of client (mac) is sending "close alert". Any help or suggestions how to get this resolved?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

All of my customers push their ISE certificates, root/intermediate/eap, via airwatch as part of the network profile. So it's certainly possible with airwatch/workspace one profiles. Public or private CA, I've found it makes no difference.

View solution in original post

5 REPLIES 5
Highlighted
VIP Advisor

I've found that in order to get macs/iphones to authenticate with eap-tls, you have to push the root, intermediate, and the ISE EAP cert directly to the device with the network profile.  

Highlighted

Thanks for the information. We are about to try that instead of pushing from airwatch..ISE has public CA certificate installed for EAP authentication and other reasons.. i will export the complete chain and import it onto mac to check.. i will update once this is tried.. 

Even if it works this way, i m worried how it is possible to do the same for rest of the org mac users.. 

 

Highlighted

All of my customers push their ISE certificates, root/intermediate/eap, via airwatch as part of the network profile. So it's certainly possible with airwatch/workspace one profiles. Public or private CA, I've found it makes no difference.

View solution in original post

Highlighted

Many thanks for sharing this information. Just for me to understand clearly, you are saying we need to manually push ISE EAP certificate chain either via MDM or directly onto mac? Even though if the mac already have those certificates through earlier authenticated sessions (earlier all were authenticating using PEAP to the same ISE, so it got ISE EAP chain certificates already which we could see on keychain) still, we need to remove them and install freshly to check? And while installing manually onto mac do we need to choose login or system root.. Thanks in advance

Highlighted

The way I understood about Apple configuration profile is to include certificates (an identity certificate and the root CA certificate of EAP server(s)) and a Wi-Fi payload. It's a unit on its own and separate from the key store.