none
NPS doesn't authenticate Mac(OS X) client

    Pregunta

  • Hello 

    Request expert's advise on the below.

    We have a Windows Radius NPS server setup and authenticating 802.1x WiFi.
    NPS runs on windows 2012 R2 and it is configured to authenticate windows clients (domain joined). 

    In the NPS server, we have created a policy and allowed "Domain Computers" group to authenticate domain joined clients which are issued with a computer certificate. This authentication process works fine for windows domain joined clients without any issue.

    The issue is  only observed when the Mac Computers (OS X) which are part of domain is trying to authenticate through the NPS server the authentication fails. we have created a new policy in NPS server which allows "Domain computers" but the issue still remains. The Mac OS client is installed with a computer certificate.

    The authentication fails with event 6273 with reason code 8 ( the specified user account does not exist).

    At the Mac Computer, it prompt for user account continuously and fails. 

    If we use "domain users" group in NPS server, the same Mac computer connects fine. It fails only when it is set to "domain computers" authentication. 

    Can someone shed some light on this issue and how to solve it?


    • Editado Babu_r sábado, 17 de marzo de 2018 15:52
    sábado, 17 de marzo de 2018 13:49

Todas las respuestas

  • Hi,

    Thanks for your question.

    In most cases, reason code 8 is user or computer account issue.

    Please trying these steps below to see if they helps:

    Step1: Using another account to logon;

    Step2: Using certutil command to verify the certs.

    Step3:Checking the intermedia certificates in the intermediate certificates store.(MMC)Removing these unnecessary intermediate certificates.

    Step4:Finding out the NTAuth in the location:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates,

    if it does not have the entries for the intermedia certs, manually add it using command: certutil -enterprise -addstore NTAuth <path to the .CER file>

    Step5:Disabled the CRL checking for NPS using the following command.

    Key: HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13

    Value: NoRevocationCheck

    Type: REG_DWORD

    Data: 1

    Step6: Restart NPS server.

    Besides, please try to use Shared Key Authentication and you could also try to renew the cert or re-create the cert to see if it works.

    Hope above information helpful.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards,   

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    lunes, 19 de marzo de 2018 7:18
  • Hi,

    How are things going on? Was your issue resolved?

    Please let us know if you would like further assistance.

    Wish you have a nice weekend!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    viernes, 23 de marzo de 2018 9:55
  • Hello Michael,

    Thanks for the action steps. 

    Would like to highlight the below to you. 

    1. The registry "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\NTAuth\Certificates," has the appropriate Root and Issue CA certificates. 

    2. The registry key "NoRevocationCheck" under HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 is yet to be created and tested. 

    I have few comments on the action you suggested. 

    - The apple client does have a certificate issued by the same CA. 

    - The problem doesn't affect windows clients hence i would like to know if i still need to follow the step mentioned # step 2. Because by creating the regsiry key it will affect all the clients. isn't it?

    Please let me know with further action.

    Regards

    BK

    domingo, 25 de marzo de 2018 5:47
  • Hi,

    Thanks for your detailed update.

    You're right! The step2 will affect all the clients and may cause potential influence. Very sorry for my mistake.

    I found an article refer to NPS for MAC-based Authentication, you may try the following link:

    https://documentation.meraki.com/MR/Encryption_and_Authentication/Creating_an_NPS_Policy_for_MAC-based_Authentication

    Highly appreciate your successive effort and time. I look forward hearing your good news.

    Wish you have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    lunes, 26 de marzo de 2018 10:33
  • Hi,

    How are things going on? Was your issue resolved?

    Please let us know if you would like further assistance.

    Wish you have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    miércoles, 28 de marzo de 2018 9:18
  • Hi,

    How are things going on? Was your issue resolved?

    Please let us know if you would like further assistance.

    Wish you have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    viernes, 30 de marzo de 2018 11:51
  • The original question was for Apple macOS, not for MediaAccessControl (MAC) based login.

    I am also facing the same problem, but am thus far unable to find a solution.

    viernes, 04 de mayo de 2018 14:52
  • I have this the same problem with my MacOS 
    Can anyone help?
    Thanks,
    martes, 22 de mayo de 2018 5:01