This is a discussion on EAP-TLS for Non-Windows Clients - Wireless ; I have the following configuration: - Server 2003 R2 SP2 Enterprise CA which is our AD - IAS Server configured with Remote Access Policies configured for EAP - Windows XP Clients with root certificate installed and using computer certificates that ...
I have the following configuration:
- Server 2003 R2 SP2 Enterprise CA which is our AD
- IAS Server configured with Remote Access Policies configured for EAP
- Windows XP Clients with root certificate installed and using computer
certificates that are automatically enrolled (registry changes implemented as
referred in )
All Windows XP and Vista based clients can connect properly to the EAP-TLS
I'm attempting to configure Active Directory bound Mac clients taking
instructions from  and porting them for use with a Microsoft CA. This
process involves the following:
- Creating a CSR from the Mac
- Visting the CA web interface (as an admin), choosing 'Advanced request',
then using the CSR with various templates.
- Exporting the cert
- Recompiling the cert on the Mac to join the private key and certificate
- Installing into the Keychain
When attempting to authenticate, I receive the following result in our
User hostname.domainname.com was denied access.
Full-Qualified-User-Name = DOMAIN\hostname.domain.com
--Other RADIUS Data
Reason: The specified user account does not exist
When Windows clients work, they resolve to host/hostname.domainname.com and
I have tried the following approches to no success:
- Generating CSR and using certificate with a subject of
- Generating an SPN for the computer with the proper name
- Rewriting the User-Name in RADIUS using Connection Request Policies
I think the problem boils down to the lack of association between the CSR
(and cert) and the computer account. Has anybody been able to make
non-Windows (or non domain joined clients) work with EAP-TLS? Any advice?
Thanks in advance for your help.