802.1X Authentication with Certificates

reviventtech
New Contributor

Hi All,

 

I've been doing a lot of research on 802.1X certificates as we are looking to move away from AD-binding and move to a software such as JAMF Connect in the very near future. This has brought many challenges while researching, and I think I've just made myself more confused in the process. I'm a novice with networking, so please bear with me on that. 

 

Here is essentially what I need to do: I need to have some way to authenticate with the network at the login window on non-bound machines. I've read that using a machine-based certificate with distribution via SCEP is the way-to-go in this scenario, which is fine at the logon window.

Our security policies require that we have user-based authentication when a person is actively using a machine. So if John Smith logs in, John Smith's credentials need to be used to authenticate against the network, not the machine-certificate used at the logon window. 

 

I read in Apple's documentation that you can use a System+User mode for 802.1X authentication, which is exactly what I need to do, but I can't find much documentation in how to create such a configuration. Essentially, I'm looking for guidance on how to configure network authentication per the requirements mentioned above.

 

We are currently bound to AD and authentication is done when the user logs in and authenticates against AD. We are not actively deploying any certificates, only creating a trust exception for the certificate that is passed when the machine joins the network. The distributed profile is only applied to the login window at the system level.

 

Any assistance is greatly appreciated!

10 REPLIES 10

bwoods
Valued Contributor

1. Configure one of the following:

A. ADCS Connector (expensive)

B SCEP PKI Cert (inexpensive)

2. Add the PKI Cert to your Jamf Pro Server.

3. Learn how your Radius server authenticates. (username, hostname, serial, etc)

4. Configure a Wireless configuration profile that contains the chain of trust for your radius server the ADCS/SCEP cert and trust these certs. The profile most also contain your wireless payload.

5. Deploy the profile. 

 

How to configure ADCS: https://youtu.be/oRkpkN1Z3aI

How to configure SCEP: Integrating with DigiCert Using Jamf Pro - Integrating with DigiCert Using Jamf Pro | Jamf

Open a ticket with Jamf Support: Ask for Benjamin Julian. In my experience he is the most knowledgable about 802.1X configurations.

husnudagidir
New Contributor III

Hi,

 

Our Jamf server is running on the cloud. Are these things appropriate in the cloud environment?

Mithrandir
New Contributor III

We are not bound in my shop. After our security engineer worked with Aruba to implement a bypass auth scheme, I acutally got it working by implementing the following:

 

1) Added both dNSHostName & service PrincipalName to unbound (dummy) computer objects in AD.

2) Exported machine cert delivered via ADCS to my Mac and used name mapping in ADUC to set it as an alt-id.

3) Modified cert request syntax to include: host/$COMPUTERNAME.FQDN.

4) Added UPN to cert request (in addition adding DNSName as SAN): $userPrincipalName.FQDN.

5) In ADUC, reset computer password; using root terminal in macOS, I used the security command to: set both an identity preference and a generic password (matching the password input in ADUC).

6) Added additional SAN setting to cert request: UserPrincipalName: $userPrincipalName.FQDN

7) Exported entire cert chain from relevant issuing servers, and put them in the profile... and it works!

husnudagidir
New Contributor III

Hi Everyone,

I solved the 802.1x problem. You can contact me here to find out how to solve the problem.

how did you solve it? 

 

husnudagidir
New Contributor III

Hi,

We use Aruba brand Access Points in our WIFI network. 802.1x is used to connect to the network through these products and we include users in the network by verifying with a certificate. At this stage, identity and certificate verification is done with an application called ClearPass. The ClearPass application also serves as an MDM server and SCEP server. When we connect to Access Points, the ClearPass application sends a profile file to users via a web interface. Actually the whole solution is contained in this profile file settings. We changed the part specified as "user" in the settings of this configuration profile file, sent to MacOS devices by the ClearPass application, to "system". Thus, as soon as our MacOS device was turned on, the user was able to connect to the network automatically without logging in. If the application you use is ClearPass, I support this article with screenshots. You can use the screenshot below. After making this change, you need to delete and reinstall the WIFI profile on the macOS device. After this step, the problem disappears.

 

husnudagidir_2-1678130817739.png

 

 

Good morning.
How to solve?

Could you send a print of the configuration profiles?

Hi,

We use Aruba brand Access Points in our WIFI network. 802.1x is used to connect to the network through these products and we include users in the network by verifying with a certificate. At this stage, identity and certificate verification is done with an application called ClearPass. The ClearPass application also serves as an MDM server and SCEP server. When we connect to Access Points, the ClearPass application sends a profile file to users via a web interface. Actually the whole solution is contained in this profile file settings. We changed the part specified as "user" in the settings of this configuration profile file, sent to MacOS devices by the ClearPass application, to "system". Thus, as soon as our MacOS device was turned on, the user was able to connect to the network automatically without logging in. If the application you use is ClearPass, I support this article with screenshots. You can use the screenshot below. After making this change, you need to delete and reinstall the WIFI profile on the macOS device. After this step, the problem disappears.

 

husnudagidir_1-1678130807167.png

 

 

teodle
Contributor II

How did you solve it? 

husnudagidir
New Contributor III

Hi,

We use Aruba brand Access Points in our WIFI network. 802.1x is used to connect to the network through these products and we include users in the network by verifying with a certificate. At this stage, identity and certificate verification is done with an application called ClearPass. The ClearPass application also serves as an MDM server and SCEP server. When we connect to Access Points, the ClearPass application sends a profile file to users via a web interface. Actually the whole solution is contained in this profile file settings. We changed the part specified as "user" in the settings of this configuration profile file, sent to MacOS devices by the ClearPass application, to "system". Thus, as soon as our MacOS device was turned on, the user was able to connect to the network automatically without logging in. If the application you use is ClearPass, I support this article with screenshots. You can use the screenshot below. After making this change, you need to delete and reinstall the WIFI profile on the macOS device. After this step, the problem disappears.

 

husnudagidir_0-1678130773936.png