Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Set up Microsoft PEAP in OS X Network
I have been trying for some time to get PEAP (Microsoft's Protected EAP method) to work with Mac OS X 10.3. Today It finally worked, and it boils down to this:
  1. Import the certificate for the root certificate authority (CA) that issued the certificate to your IAS box into your keychain. Make sure it goes into x509Anchors. If you have web enrollment enabled, you can go to that site and download it.
  2. In Internet Connect, select new 802.1x connection, enter the login ID (no domain) and password, then select the wireless network that's using PEAP.
  3. From the Configuration list, pull down and select Edit Configurations.
  4. On the sheet that pulls down, select PEAP and then configure and enter your domain and loginid (Domainloginid) in the box marked "Outer Identity."
  5. Save your changes and connect to the network. It should ask you if you really want to trust the certificate. Examine it and if you do, (and you really do...) say yes.
  6. If it dosn't connect the first time, try again and it should work.
This solution was tested using Mac OS X 10.3.4 connecting through a D-Link DI-624 setup to use WPA. The Domain Controllers were Windows 2003 in Native 2000 mode. The RADIUS server is a Windows 2003 server with IAS (Internet Authentication Service), and the Certificates were issued using Windows 2003 Certificate Services.
    •    
  • Currently 2.67 / 5
  You rated: 2 / 5 (3 votes cast)
 
[27,758 views]  

Set up Microsoft PEAP in OS X | 7 comments | Create New Account
Click here to return to the 'Set up Microsoft PEAP in OS X' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Set up Microsoft PEAP in OS X
Authored by: wlanni on Oct 21, '04 07:34:28PM

Question: when you got the .cer to import into your keychain, was it expired? I'm finding that my cert is expired by a couple minutes every time I download it. Is that normal?

Also, airport is not seeing the wireless network by default, I have to type it in. Was your machine seeing the wireless network? Also, I can't specify that I want to login using EnterpriseWAP in the 802.1x configuration. Does it just know this by default?

When you pulled down edit configurations, was the login/pw already filled in? should it be?

I'd like to just double check that the outer identity should be Domainloginid, no '/', no '@'... does Domain need to be capitalized? did it matter?

Thank you for this!

(I'd post what our hardware/software is but I don't know. I'm an end user searching desperately for help)



[ Reply to This | # ]
Set up Microsoft PEAP in OS X
Authored by: wlanni on Oct 21, '04 07:36:29PM

Darn it! I don't see a way to edit my above post.

I forgot to add that when I click connect, the status changes to "Connecting" and freezes there for a while, and the button changes to "disconnect"

does this have any meaning? Does this mean it sees the network but is freezing up (probably trying to authenticate with an expired cert which is my ignorant and naive opinion)



[ Reply to This | # ]
Set up Microsoft PEAP in OS X - worked for anyone else?
Authored by: nimsx on Apr 26, '05 06:54:38AM

Has anyone else found this to work for them ?
(Did you do anything differently?)
Please post as much detail as possible.



[ Reply to This | # ]
Set up Microsoft PEAP in OS X - worked for anyone else?
Authored by: phobos182 on May 23, '05 01:45:48PM

Thanks for the tip, worked like a charm.

To eliminate some confusion on step 4

4: On the sheet that pulls down, select PEAP and then configure and enter your domain and loginid (Domain\loginid) in the box marked "Outer Identity."

Note: Or in the case of windows 2000+, username@domainname



[ Reply to This | # ]
Set up Microsoft PEAP in OS X - worked for anyone else?
Authored by: micah_death on Jul 06, '05 02:25:58PM

This worked for me. Note that I do not put in the domain name...

I just did <UserName> then <password> and clicked continue when it said 1 certificate couldn't be verified.... the <domain>\<username> or <username>@<domain> wasn't needed. (maybe the cert does this for me.)

Also our access points don't have broadcasted SSIDs and it still works =)
(OS X 10.4 on a Powerbook 17")



[ Reply to This | # ]
Set up Microsoft PEAP in OS X
Authored by: legacyb4 on Jan 09, '06 11:56:20AM

Trying this under 10.4.3, but am finding that authentication no longer works with any variation on the domain + username combinations.

Windows XP SP2 clients work fine.

Infrastructure: Windows 2003 AD, IAS, CAs.
Wireless hardware: Linksys WRT54G v 4.20.7

---
lumine.net



[ Reply to This | # ]
Set up Microsoft PEAP in OS X
Authored by: legacyb4 on Jan 09, '06 12:27:39PM
Worked it out finally...

PEAP profile information should contain only userid (not domain) as I was getting the error:

User domainuserid was denied access.
Fully-Qualified-User-Name = DOMAIN\domainuserid

Putting in only the userid fixed that error immediately.

The second error I was having was that the Wireless Connection Remote Access Policy was being overriden by an existing VPN users RAP. Changing the priority order fixed that error.

All is good now...

---
lumine.net

[ Reply to This | # ]