Troubleshooting EAP-TLS Connections

A common failure with EAP-TLS configuration is when the user or client certificate is not being generated properly. The User Principal Name must be included in the Subject Alternative Name (SubjectAltName) extension in the certificate. By default, the standard certificate templates in Active Directory are not configured this way. For more information, see the following documentation from Microsoft: Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS.

Your Active Directory administrator or certificate administrator may need to ensure that the template being used for the user certificate is set to use the UPN in the Subject Alternative Name field.

The following screenshot illustrates the proper setting:

images/download/attachments/82682409/Screen_Shot_2015-04-07_at_2.36.39_PM.png

The Subject Alternative Name in the AD-issued certificate when using the default template was:
username.domain.corp

After the template change, the Subject Alternative Name in the AD-issued certificate became the following, and the connection was successful:
username@domain.corp

Additional Information for Further Troubleshooting

For a walk-through of the troubleshooting wireless process, see the following documentation from Microsoft:
A Support Guide for Wireless Diagnostics and Troubleshooting

For more information on troubleshooting EAP-TLS connections, see the following webpage:
802.1X EAP-TLS Machine Authentication in Mt. Lion with AD Certificates

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.