Help

802.1x certificate renewal

CS_MC
New Contributor

Posted on ‎02-04-2013 09:36 AM

Hello,

We are about to renew our 802.1x wireless certificate for the first time and are also a new Casper 8.62 install. I'm hoping to make the process as painless as possible. We are still rolling out Casper so we have varing configurations currently deployed. Some machines are 10.6.8 with an 802.1x user profile, others are 10.7.x and 10.8.x with login window profiles. They have our current AD radius certificate in the profile.

Does anyone know if I can get away with simply installing our internal(AD) root CA certificate as a Trusted Root CA on the clients?

If so, is there any harm in temporarily leaving the existing certificate in place (in the user profile & login window profile), even after it has expired?

Thanks,
Carl

0 Kudos
2 REPLIES 2

alexjdale
Valued Contributor III

Posted on ‎02-04-2013 03:04 PM

We don't deploy our root/chain certs in the profile, they are installed separately to the System keychain with explicit trust for SSL and EAP and it works fine. The Profile we install just carries the 802.1x config and the system's cert payload (requested by script, encoded and inserted into the Profile XML, which is then fed into the profiles command to install).

Honestly, if you are using the same configuration still, it should just be a matter of re-executing it and it will overwrite the existing config (for 10.7/10.8, remove the old profile first and it will automatically remove any certs it installed). Things do get messy in 10.7/10.8 if you have User configurations though, since part of the config is stored on the user's Login keychain.

Not sure about Snow Leopard, but we used System profiles and it worked much better for us. Just re-run our setup script and it overwrote everything with a new cert, flawlessly. 802.1x on 10.7/10.8 is a poorly-implemented nightmare.

0 Kudos

CS_MC
New Contributor

Posted on ‎02-05-2013 12:48 PM

Thanks Alex,

I can definitely attest to 10.7/10.8 being problematic. I am currently struggling to understand why an 802.1x profile built in Casper, causes the network to drop once a minute. But thats a different issue all together.

For the 10.7 and 10.8 machines, their profiles were installed manually, so I have to remove them manually. I wrote this script and it seems to work. Once it's done and reconnected, I check the keychain and I only see the root certificate and not the actual radius cert. I'm hoping this approach works on the 10.6.8 machines too. So again, it appears to be working. Hard to tell for sure until the existing certificate has expired though.

I still feel like I'm over thinking this. 

#!/bin/bash

# Copy files to temp folder.
cp "/Volumes/CasperShare/Scripts/Settings_for_SSID.mobileconfig" "/private/tmp/Settings_for_SSID.mobileconfig" 
cp "/Volumes/CasperShare/Scripts/RootCA.cer" "/private/tmp/RootCA.cer" 

# Remove old SSID configuration profile
sudo profiles -R -F /private/tmp/Settings_for_SSID.mobileconfig -z notarealpassword

# Install RootCA as trusted root
security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/private/tmp/RootCA.cer"

# Get WiFi interface
airport=`networksetup -listallhardwareports | /usr/bin/awk '/Wi-Fi|Airport/ {getline; print $NF}'`

# Reconnect to SSID
sudo networksetup -setairportnetwork $airport SSID

# Cleanup
srm --force "/private/tmp/RootCA.cer"
srm --force "/private/tmp/Settings_for_SSID.mobileconfig"
0 Kudos