Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1691
Views
0
Helpful
2
Replies

EAP-TLS error on Apple OSX

Go to solution
Philip Vilhelmsson
Level 1
Level 1

‎05-21-2019 03:53 AM

Hi,

 

I am trying to authenticate OSX clients with EAP-TLS on WiFi. 

ISE and OSX has certificates from different issuing-certificate-servers but they share root-server.

ISE is in domain.com and OSX in sub.domain.com

 

The error I am getting in ISE is "12521 EAP-TLS failed SSL/TLS handshake after a client alert". My best guess is that OSX doesnt trust ISE, but I can't figure out what settings I have to do to get it to work. 

We are using a MDM tool to deploy profiles to the OSX devices.

Have any one of you got info on what settings I have to do in OSX for it to trust ISE that has RADIUS-cert from another cert-server?

 

Regards

Philip

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-06-2019 10:46 PM

On the same thought train as hslai here. You mention an MDM, most of my clients use airwatch with their apple devices. Part of the network profile provisioning includes pushing down the root and intermediate certs down to the endpoints. In the case of iPhones, for some reason we have also had to push the server cert ISE uses, not sure why but it seemed hit or miss.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-06-2019 07:32 PM

Have any one of you got info on what settings I have to do in OSX for it to trust ISE that has RADIUS-cert from another cert-server?

In case of ad-hoc connections, macOS should have prompted the users to trust the certificate(s). For non-ad-hoc, a MDM usually is used to provision the trust and you would need to consult the admin guide of the MDM product.

For my own testing, I am using Apple Configurator 2 to create a configuration profile, which may contain the certificate chain used by ISE and explicitly trusted for a network payload.Screen Shot 2019-07-06 at 7.24.23 PM.png

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-06-2019 10:46 PM

On the same thought train as hslai here. You mention an MDM, most of my clients use airwatch with their apple devices. Part of the network profile provisioning includes pushing down the root and intermediate certs down to the endpoints. In the case of iPhones, for some reason we have also had to push the server cert ISE uses, not sure why but it seemed hit or miss.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents