16 July 2010

802.1x TLS authentication with Macintosh

At the company where I´m working we have a nicely integrated CA with our Active Directory that allows us to automatically provision our PCs with a client certificate assigned to the System account, mostly known as a machine certificates. We are using these certificates for authenticating the devices before granting them access to the network using 802.1x EAP-TLS. We chose that solution to ensure that only corporate computers would connect to the trusted network, redirecting the rest to a semi protected network with access to the Internet and little more.

As any other enterprise we have been silently invaded by macs and now we have to find a solution to connect them to the trusted network, which in our case, implies delivering a machine certificate.

I`ll skip you the troubleshooting and go directly to the solution.
Building blocks:
- Windows 2008 Microsoft Enterprise CA
- IAS Server (Microsoft RADIUS)
- MacBook Pro, Mac OS X Snow Leopard
- WinXP SP3

I'm assuming that you have a Microsoft Integrated CA and that the 802.1x TLS is already working for the PCs. For Standalone CA (and probably non IAS Server), you might find that link useful https://airheads.arubanetworks.com/vBulletin/archive/index.php/t-1437.html

1) First you need to create a dedicated Certificate Template for issuing the certificates to the macs. The fastest solution is to duplicate the template you are using for delivering the current machine certificate but with the following changes:

- Change the Subject Name to "Supply in the request":


- Make sure you mark the check box "CA certificate manager approval". That is not strictly necessary but without this you might have severe security problems. It´s also recommended that you limit the users allowed to upload the requests.


- When you are using PCs and Autoenrollment  most probably you are not allowing users to export the certificate private key. In our company we have decided that a dedicated group in IT Support will generate the certificates in a windows box, export and transfer them to a mac. In order to do so we have to check the "Allow private key to be exported":


- Once you have that in place you can craft a Certificate Signing Request and upload it to the CA. For creating the proper CSR you should know the mac name as provisioned in the Active Directory. We use the Microsoft tool LCSCertUtil. If you too, make sure you uncheck "Disable Template" and check "Exportable Private Key".

It´s very important you add the proper CN and SAN fields. If you machine name is X1234.companydomain.com make sure your CN is host/X1234.companydomain.com and the SAN is X1234.companydomain.com. That is the only difference between the machine certificates delivered to windows boxes and the rest.

- Once you have the certificate in the Windows box, open Internet Explorer go to Tools, Internet Explorer, Content, Certificates; choose the certificate and export it in a PKCS12 container (windows will generate a .pfx file) making sure you include the private key and the certificate chains.

- The next would be to import the file in the mac keystore and create a 802.1x profile in the mac assigning the certificate in the TLS protocol using the Advanced network features (make sure you disable the other protocols), but if you reached that point it should not be a big deal.

Good night and good luck.

10 comments:

  1. Anonymous23/2/11 14:10

    Thanks !

    ReplyDelete
  2. The step by step procedure is helpful.Thanks for sharing it here on blogspot as you mentioned that the fastest solution is to duplicate the template you are using for delivering the current machine certificate.are the changes you outlined above are sufficient.

    ReplyDelete
  3. Thank you very much. After uncountable problems this helped to authenticate the machine.
    Just clarify that when you select TLS in the MAC you should remove username and password data, if not, it will continue trying to use the user account.

    ReplyDelete
  4. Thanks for this procedure!
    Just one question:
    "make sure your CN is host/X1234.companydomain.com and the SAN is X1234.companydomain.com"
    I'm not sure about what is "host" in the step above.

    ReplyDelete
  5. Hi Tom,
    if you are using an IAS Server as a RADUs, that is expecting that the Common Name contains the string "host/X1234.companydomain.com" .
    where "host/" is a fixed string and "X1234.companydomain.com" is the DNS name of your client machine.

    ReplyDelete
  6. Anonymous3/1/12 14:00

    What worked for me was use the normal hostname for both CN ans DNS SAN and then set the servicePrincipalName attribute of the "fake" computer account to "host/name.domain.com"

    ReplyDelete
    Replies
    1. How do you set servicePrincipalName in certificate to "host/" ?

      Delete
    2. you have to generate the Certificate Signing Request with Openssl and enter the proper data as explained

      Delete
  7. I have tried the proposed steps, but the authentication for the WIFI with 802.1X failed.

    1) Is it mandatory for the mac computer to be member of AD domain ?
    2) Is there any way to troubleshoot authentication problems on the mac?

    ReplyDelete
    Replies
    1. 1) if you want to do a proper deployment yes, another option is to impersonate a PC, adding its identity in the certificate you are crafting for the Mac. I would recommend to do this for a PoC only, otherwise you´ll end up with a messy deployment.

      2) you can add some log verbosity in the Mac but frankly I can´t remember how I did it. I’m sure that if you Google for it you´ll find it

      Delete