19 July 2010

802.1x TLS authentication with Android, iPhones and iPads

In my last post I explained how to deploy the necessary infrastructure in order to connect macs to a 802.1x TLS protected network. In that post I´ll explain how to connect an Android or iPhone. The first thing you need is to add the device object in Active Directory and create certificate with the same characteristics as the one for the mac. Make sure you add "host/" at the beginning of the CN field preceding the name of the device as added in Active Directory.

Once you have the PKCS12 containers (.pfx file) with the device certificate, the key and the related certificates chains import it to the device and configure the WLAN interface as follows:

Android 2.1:
For Android, the first think you have to do is enable the credentials store. Go to "Settings", "Location and Security", and set password. Put the PKCS12 file in the root of the SD Card and come back to the security menu. Click on "Install from SD Card" and choose the appropriate file. You´ll be promoted to install the certificate, key and Root CAs. Once installed you can try to connect to the 802.1x TLS protected WLAN. Connect to the 802.1x TLS protected WLAN. As the network will request TLS authentication, the Android would request you to unblock your credentials storage. Enter the password and click Accept. In the configuration screen add the following parameters:
- No second phase authentication
- Choose the CA certificate (you should have only one)
- Choose the user certificate (you should have only one)
- In the identity entry add the same you added in the CN of the certificate. It should be something like: "host/machine-name"

I have successfully tested it with Android 2.1. The draw back is that you most probably will require a proxy to access the Internet and that can´t be configured in Android (unless you use a Cyanogen build)

iPhone 3, iPhone 4 and iPad:
Send the PKCS12 file by email and open it from the mail application. Follow the same instructions as the ones to connect an Android device to the WLAN. Remember to manually add the CN as the Identity with the "host/" at the beginning.

16 July 2010

802.1x TLS authentication with Macintosh

At the company where I´m working we have a nicely integrated CA with our Active Directory that allows us to automatically provision our PCs with a client certificate assigned to the System account, mostly known as a machine certificates. We are using these certificates for authenticating the devices before granting them access to the network using 802.1x EAP-TLS. We chose that solution to ensure that only corporate computers would connect to the trusted network, redirecting the rest to a semi protected network with access to the Internet and little more.

As any other enterprise we have been silently invaded by macs and now we have to find a solution to connect them to the trusted network, which in our case, implies delivering a machine certificate.

I`ll skip you the troubleshooting and go directly to the solution.
Building blocks:
- Windows 2008 Microsoft Enterprise CA
- IAS Server (Microsoft RADIUS)
- MacBook Pro, Mac OS X Snow Leopard
- WinXP SP3

I'm assuming that you have a Microsoft Integrated CA and that the 802.1x TLS is already working for the PCs. For Standalone CA (and probably non IAS Server), you might find that link useful https://airheads.arubanetworks.com/vBulletin/archive/index.php/t-1437.html

1) First you need to create a dedicated Certificate Template for issuing the certificates to the macs. The fastest solution is to duplicate the template you are using for delivering the current machine certificate but with the following changes:

- Change the Subject Name to "Supply in the request":

- Make sure you mark the check box "CA certificate manager approval". That is not strictly necessary but without this you might have severe security problems. It´s also recommended that you limit the users allowed to upload the requests.

- When you are using PCs and Autoenrollment  most probably you are not allowing users to export the certificate private key. In our company we have decided that a dedicated group in IT Support will generate the certificates in a windows box, export and transfer them to a mac. In order to do so we have to check the "Allow private key to be exported":

- Once you have that in place you can craft a Certificate Signing Request and upload it to the CA. For creating the proper CSR you should know the mac name as provisioned in the Active Directory. We use the Microsoft tool LCSCertUtil. If you too, make sure you uncheck "Disable Template" and check "Exportable Private Key".

It´s very important you add the proper CN and SAN fields. If you machine name is X1234.companydomain.com make sure your CN is host/X1234.companydomain.com and the SAN is X1234.companydomain.com. That is the only difference between the machine certificates delivered to windows boxes and the rest.

- Once you have the certificate in the Windows box, open Internet Explorer go to Tools, Internet Explorer, Content, Certificates; choose the certificate and export it in a PKCS12 container (windows will generate a .pfx file) making sure you include the private key and the certificate chains.

- The next would be to import the file in the mac keystore and create a 802.1x profile in the mac assigning the certificate in the TLS protocol using the Advanced network features (make sure you disable the other protocols), but if you reached that point it should not be a big deal.

Good night and good luck.