Wired EAP-TLS Problems

Similar Messages

• EAP-TLS problems with Cisco AP541N and Server 2008 NPS

  Hi,
  I want to use EAP-TLS with my shiny new certificates issued by my new Windows CA, and what happens? Nothing works.
  I don't have a clue what I should do. I try to establish a EAP-TLS connection using my Windows CE mobile device, but my cisco AP541N logs this:
  Oct 18 15:42:58
  info
  hostapd
  wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: Supplicant used different EAP type: 3 (Nak)
  Oct 18 15:42:58
  warn
  hostapd
  wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: authentication failed - identity 'XXXXXX' EAP type: 13 (TLS)
  Oct 18 15:42:58
  info
  hostapd
  The wireless client with MAC address 00:17:23:xx:xx:xx had an authentication failure.
  NPS logs this:
  Name der Verbindungsanforderungsrichtlinie: Sichere Drahtlosverbindungen 2
  Netzwerkrichtlinienname: XXXXXX
  Authentifizierungsanbieter: Windows
  Authentifizierungsserver: XXXXX
  Authentifizierungstyp: EAP
  EAP-Typ: -
  Kontositzungs-ID: -
  Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
  Ursachencode: 22
  Ursache: Der Client konnte nicht authentifiziert werden, da der angegebene EAP (Extensible Authentication-Protokoll)-Typ vom Server nicht verarbeitet werden kann.
  I'm sorry it's german, but the gist is: The server can't process the authentication with the specified EAP type, which should be EAP-TLS.
  I think the NAK answer in my cisco AP logs is the problem. Well, not the problem, since it is the standard procedure in the EAP request / challenge, I think, but somebody messes up with it.
  Did anybody encounter something like this before? Or just knows what to do?
  Thanks in advance
  Lenni

  Joe:
  Having NPS, you have the options to configure PEAP-MSCHAPv2 or EAP-TLS.
  EAP-TLS: mandates a certificate on the server as well as a certificate on every single machine for authentication purposes.
  PEAP-MSCHAPv2: mandates a certificate on the server only. Users connecting to the wireless network must trust the certificate (or, user devices can be configured to escape this trust and connect even if the server cert is not trusted).
  for PEAP-MSCHAPv2, Your options are:
  - Buy a certificate for the server from a trusted party (Verisign for example [which was bought later by Symantec]). This way all devices will - by default - trust the server's cert.
  - Install local CA. Install a cert on the server and then push the root CA cert for your CA to all client device so they trust this issuer.
  - If both up options are not valid for you, what you can do is to configure every single client to ignore the untrusted cert and proceed with the connectoin. (This is a security concern though. not recommended unless really needed).
  You must get a cert on the server and all clients must trust that certificate's issuer. Otherwise you'll not be able to user PEAP.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• ACS 3.3 for windows - Win AD and eap-tls problem

  Hi,
  I have a problem with an ACS to authenticate users with certificate on MS AD.
  Working things:
  PEAP authentication with the MS AD;
  EAP-TLS authentication with the local DB.
  Not working things:
  EAP-TLS authentication with MS AD.
  Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
  Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
  So, why it's not working with the combination EAP-TLS and MS AD.
  I receive the error 'External DB Account Restriction'
  Thanks for your help.

  Hi,
  This is what is interesting,
  AuthenProcessResponse: process response for 'phd' against Windows Database
  Unknown User 'phd' was not authenticated
  Done RQ1027, client 50, status -2125
  The field that is being picked from certificate has the value 'phd', check you check which field is it.
  And was the logging at full?, I think something is missing in the logs.
  Lets do a sanity check, and go through following link again,
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
  Regards,
  Prem

• EAP-TLS problems Windows XP

  We are using Cisco ACS 4.1 for Windows RADIUS server, Windows 2003 PKI, 3750 access switch and Windows XP SP 3 workstations.
  Problem is that users with user certificate can loging successful by 802.1x. When user logs in without user certificate (but with computer certificate) no record will be written in ACS log. Windows tells that authentication is not ok. But client keeps ip address form successful computer authentication. After a few minutes, the connection will be dropped.
  AuthMode is set to 2 in Windows. At first there will be computer auth, then user auth takes place. Why does the computer keeps the ip address from successful computer auth ? We want to put the computer in aut-fail VLAN. But that doesn't happen...

  Do you see same issue with SP2 ?
  Here is important information about dot1x configured on XP SP3.
  You cannot connect to an 802.1X wired network after you upgrade to Windows XP Service Pack 3
  http://support.microsoft.com/kb/953650
  Changes to the 802.1X-based wired network connection settings in Windows XP Service Pack 3
  http://support.microsoft.com/kb/949984/
  Regards,
  ~JG

• Wired 802.1x EAP-TLS Server Certificate Problem

  I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
  If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
  11:48:53.088 Validating the server.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
  11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
  11:48:54.776 The authentication process has failed.
  If I look at the Auth log on ACS (set to full logging) it states:
  AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
  AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
  If I configure the client to not check the servers certificate it all works ok.
  Can anyone tell me why my server certificate is getting rejected?
  Thanks,
  Paul

  If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.

• 802.1x with EAP-TLS Fails on Wired

  Dear Colleagues,
  I am currently encountering an issue which does not seem to make sense to me and hence checking if anyone of you have come across the same or can provide further input on how to proceed...
  Setup :
  1. Radius Server - Cisco ACS 1113 Engine
  2. Authenticator - Cisco 6509 Switch
  3. Supplicant - Windows XP SP2/3
  Problem:
  1. Supplicants fail to authenticate using EAP-TLS as the authentication method.
  Errors Seen:
  1. Cisco ACS Reports - Authen session timed out: Supplicant did not respond to ACS correctly. Check supplicant configuration.
  2. Cisco Switch Reports - dot1x-err(Gi3/39): Invalid Eapol packet length = 1490
  3. Supplicant Reports when Trace enabled in the RASTLS file - “>> Received Failure (Code: 4) packet: Id: 8, Length: 4, Type: 0, TLS blob length: 0. Flags:” and “Code 4 unexpected in state SentFinished”
  Other Information:
  1. Wireless Clients using the windows supplicant and EAP-TLS connect without any issue.
  2. ACS has certificates issued by 3rd Party Root CA - Geotrust.
  3. Clients have Certs issued by clients own CA infrastructure.
  4. ACS has the clients Root CA cert in the trust list and hence why the wireless users work.
  5. PEAP works fine on wired.
  Any pointers appreciated. Happy to share logs from Switch / Supplicant and ACS if needed.
  Thanks
  Volven

  Dear Colleagues,
  I am currently encountering an issue which does not seem to make sense to me and hence checking if anyone of you have come across the same or can provide further input on how to proceed...
  Setup :
  1. Radius Server - Cisco ACS 1113 Engine
  2. Authenticator - Cisco 6509 Switch
  3. Supplicant - Windows XP SP2/3
  Problem:
  1. Supplicants fail to authenticate using EAP-TLS as the authentication method.
  Errors Seen:
  1. Cisco ACS Reports - Authen session timed out: Supplicant did not respond to ACS correctly. Check supplicant configuration.
  2. Cisco Switch Reports - dot1x-err(Gi3/39): Invalid Eapol packet length = 1490
  3. Supplicant Reports when Trace enabled in the RASTLS file - “>> Received Failure (Code: 4) packet: Id: 8, Length: 4, Type: 0, TLS blob length: 0. Flags:” and “Code 4 unexpected in state SentFinished”
  Other Information:
  1. Wireless Clients using the windows supplicant and EAP-TLS connect without any issue.
  2. ACS has certificates issued by 3rd Party Root CA - Geotrust.
  3. Clients have Certs issued by clients own CA infrastructure.
  4. ACS has the clients Root CA cert in the trust list and hence why the wireless users work.
  5. PEAP works fine on wired.
  Any pointers appreciated. Happy to share logs from Switch / Supplicant and ACS if needed.
  Thanks
  Volven

• Eap-tls wired 802.1x - certificate issue?

  I have configured ACS 4.0 and an 2003 Enterprise root CA on the same server, successfully applied the GPO to auto-enroll machines with Computer certificates, and then enabled 802.1x security on Catalyst 3750s. Note this is for wired 802.1x.
  If I reboot the machine, the EAP packets go through and you can see a successful authentication in the "Passed Authentications" log. However, if you disconnect the wire and then plug it back in, Windows gets stuck in "Validatiny Identity", and eventually a balloon pops up saying: "Windows was unable to find a certificate to log you on". Doing a 'sh dot1x interface ...' shows it is CONNECTING until the auth timeout is reached then it dumps the workstation into the guest vlan. Nothing is logged to Passed Authentications or Failed Attempts on the ACS server.
  Basically, the only time the EAP-TLS machine authentication works is when you reboot the machine. And if you change the state of the port either by diabling/enabling from the workstation or switch, or unplug the cable and plug it back in, Windows does not seem to pass the certificate information along to the PAE.
  This does not seem to happen when a user/client certificate is issued, only when it is a machine/computer certificate
  Has anybody seen this before and have any solutions why Windows cannot recogonize the machine certificate properly?

  We solved our WIRELESS problem by editing the following entrees. I sure this can be applied to the wired side somehow.
  The information about the correct settings can be found in this Microsoft document:
  http://technet2.microsoft.com/WindowsServer/en/library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true
  The areas of interest are the SupplicantMode (EAPOL-Start Message) and AuthMode (what type of authentication to use) registry entries. These can be configured manually in the registry or applied via Group Policy.
  This allows just the machine to authenticate (using a Cert all ready on the Machine) then we use our ACS server to auth the user via AD.
  I am doing this wirelessly and using as long as you are using a WDS the following will be the result.
  Roaming AP to AP I only lost 1 packet.
  Roaming from Vlan to other Vlan I lost 5 packets (Different ip address)
  Shutting the wireless off and back on I only lost 8 packets.
  I thought this was a very good result. We will be launching our lab with 35 plus laptops in a classroom with 2 radios.

• EAP-TLS and MS AD auth problem

  Hi,
  I have a problem with an ACS to authenticate users with certificate on MS AD.
  Working things:
  PEAP authentication with the MS AD;
  EAP-TLS authentication with the local DB.
  Not working things:
  EAP-TLS authentication with MS AD.
  Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
  Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
  So, why it's not working with the combination EAP-TLS and MS AD.
  I receive the error 'External DB Account Restriction'
  Thanks for your help.

  This issue is generally seens when there are multiple domains. Try out this step. Choose Network Connections from the control panel. Right-click the local area connection.Choose Properties. Double-click the TCP/IP option. Choose Advanced at the bottom. Click on DNS at the top. Choose Append these DNS suffixes. Add the FQDN for each domain that ACS authenticates against in the field.

• ISE problem with EAP-TLS Supplicant Provisioning

  Hi All,
  I have a demo built using ISE v1.1.3 patch 1 and a WLC using v7.4.100.0 software.  The aim of the demo is to provision a device's supplicant with an EAP-TLS Certificate...  'device on-boarding'
  The entire CWA / Device Registration process is all fine and works well.  I'm using a publically signed Cert on ISE that is built from [Root CA + Intermediate CA + Host Cert] which is used for both HTTPS and EAP and I also have SCEP operating against my Win 2k8 Enterprise Edition CA that is part of my Active Directory.  All of this works fine.
  The problem is that when ISE pushes the WLAN config down to the device, it instructs the Client to check for the Root CA, but the RADIUS processes within ISE are bound to the Intermediate CA.  This leads to a problem where the Client doesn't trust the Certificate presented to it from ISE.  There doesn't seem to be any way to configure this behaviour within ISE.
  Has anybody else encountered this? Know a solution? Have suggestions for a workaround?
  Cheers,
  Richard
  PS - Also using WinSPWizard 1.0.0.28

  Hi Richard,
  This is a misbehavior that ISE is provisioning the intermediate CA certificate during the BYOD registration process in similar (hierarchical certificate authority) scenarios. It is going to be fixed soon. Engineering is almost ready with the fix.
  Istvan Segyik
  Systems Engineer
  Global Virtual Engineering
  WW Partner Organization
  Cisco Systems, Inc
  Email: [email protected]
  Work: +36 1 2254604
  Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET)

• ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

  Hello, I´m stucked with this problem for 3 weeks now.
  I´m not able to configure the EAP-TLS autentication.
  In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
  The ISE´s certificate has been issued with the "server Authentication certificate" template.
  The clients have installed the certificates  also the certificate chain.
  When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
  and "OpenSSLErrorMessage=SSL alert
  code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
  I don´t know what else can I do.
  Thank you
  Jorge

  Hi Rik,
  the Below are the certificate details
  ISE Certificate Signed by XX-CA-PROC-06
  User PKI Signed by XX-CA-OTHER-08
  In ISE certificate Store i have the below certificates
  XX-CA-OTHER-08 signed by XX-CA-ROOT-04
  XX-CA-PROC-06 signed by XX-CA-ROOT-04
  XX-CA-ROOT-04 signed by XX-CA-ROOT-04
  ISE certificate signed by XX-CA-PROC-06
  I have enabled - 'Trust for client authentication' on all three certificates
  this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
  when i check the certificates of current user in the Client PC this is how it shows.
  XX-CA-ROOT-04 is listed in Trusted root Certification Authority
  and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

• ISE & EAP-TLS Wired document

  All,
  Is there a document out there that explicitly shows wired authentication via EAP-TLS and explains the steps?
  I have a good handle on what's needed, but I had trouble finding relevant documentation.

  Please review the below link:
  http://http://www.cisco.com/en/US/docs/solutions/SBA/August2012/Cisco_SBA_BN_LANAndWirelessLAN802.1xAuthenticationDeploymentGuide-Aug2012.pdf

• ACS 4.2 and EAP-TLS with AD and prefix problem

  Hi there
  we have the following situation:
  - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A
  - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B
  First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.
  Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch
  This is the normal output of the Remote Agent, it finds the host but then nothing happens:
  CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
  CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
  CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB:       Creating Domain cache
  CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
  CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
  CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
  CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent
  So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):
  test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):
  CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
  CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB:       Creating Domain cache
  CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
  CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
  CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
  CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
  CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
  CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
  It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.
  Could this be the problem or does someone see any other problem?
  Best Regards
  Dominic

  Hi Colin
  thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
  I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
  Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
  Regards
  Dominic

• EAP-TLS + CA MICROSOFT + ACS 3.2 APPLIANCE = Problem

  I have a Wireless Lan platform composed by equipment Access Points Cisco 1100 with ACS 3,1 and CA Microsoft.The security scheme is EAP-TLS (certificates).This architecture was completely functional. The problem took place when replacing the ACS 3,1 by the ACS 3,2 APPLIANCE, for which new certificates they were emitted by the CA of the infrastructure. The problem appears when a wireless client tries to connect to the wireless network,without obtaining the objective ,being in a state of "trying to authenticate" in networks adapters, in addition the ACS Logs appear the following message "NAS duplicated authentication attempt".
  If somebody knows the reason of this problem, can be contacted to my mail ([email protected]).

  A hint i could give you that in such a scenario you need an Trusted boundary between the ACS Appliance and the MS AD/PDC. This we be realized trough an PC/Host who is a regitered member or user of the AD/PDC. This relay Computer then communicates with the MS CA. The SW that Cisco Provides is the Cisco Secure ACS Agent. Hope this helps as we found the same problem in leap authentication as the ACS Appliance could not be set into a AD/PDC Domain. This has to be realized trough this smal piece of SW installed on an PC/Host etc. wich is a active AD/PDC Member.

• 8021.x EAP-TLS "User" vs "System" profile problems

  Hello. I have a macbook using EAP-TLS (wired) with digital certificate authentication. Finally, it's working but I have the following workarounds/questions.
  1. I have had to set the Username field to "HOST/<machine FQDN>". Other systems (ie: Windows) prepend "HOST/" automatically. Is this a known limitation or is there something I can/should do to have OS/X pull out the certificate identity and put it in as "host/identity" in response to the Identity EAP request?
  2. This works fine for USER profiles, but I cannot get a SYSTEM profile to work. When I setup a SYSTEM profile, it screws with the keychain (my root CA has to be explicitly trusted, and the SYSTEM profile only turns on Trust for eapolclient), and the auth fails. There's not enough logging detail (LogLevel=1 only gives you a network trace...) to see what's going on, so I'll ask the experts here - what's going on?
  I concede that I have played around with System profiles quite a bit, so maybe I need to delete the system profile and restart but I don't know how to do that.
  Thanks!

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan

• 802.1x eap-tls machine + user authentication (wired)

  Hi everybody,
  right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
  You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
  Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
  1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
  <key>SetupModes</key>
  <array>
      <string>System</string>
      <string>Loginwindow</string>
  </array>
  <key>PayloadScope</key>
      <string>System</string>
  but it does not work
  2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
  Thanks

  Unfortunatelly this documents do not describe how to do what I want.
  I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
  I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
  The certificates are in my System keychain.
  Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
  Any ideas ?