Posted on 04-17-2013 03:58 PM
We've been migrating to a Radius-based network authentication, with device certificates as the authenticating method. iOS and Android we managed through our MDM solution with SCEP/NDES, Windows devices (bound to the domain) get certificates via Group Policy, and we were looking at Casper and OSX Configuration Profiles for our Mac systems. After a long session of trial, error and debugging, I wanted to share the lessons learned, in case any of you run up against this setup.
Prerequisite steps to issue an AD Certificate
On the JSS, navigate to the Configuration Profiles for OS X 10.7 or later
The AD certificate profile can be added to an existing profile, or configured independently, but I like to keep this stuff separate during deployment, to ensure I don't break other policies while extending our management service.
These steps assume you have configured an Active Directory Certificate Server, and your Mac clients are bound to the Active Directory domain that Cert Server exists in. Use the AD Certificate profile option to configure this. Instructions in the manual are good, but some details that aren't included, that can leave you stumped are outlined below.
All of that setup is pretty straightforward, only a couple of details that seemed to be less that crystal clear to me. The back end was where our challenges existed.
On the CA, the template must be configured to allow the group containing all domain computers (domaindomain.computers) to enroll for certificates (this is a 2008 AD Certificate Server). This was the gotcha on our end - the account that authenticates to the server is not the account that requests the certificate - when using the AD Certificate Request Profile, the machine itself directly requests the certificate. It took reviewing the exact failed certificate requests closely to realize that the requesting account (to enroll the device in the CA) was the computer itself. If you don't set up domain.computers to request certificates from this template, the request will fail because the computer does not have rights to request a certificate by default.
The Apple CA request article is a good reference as well http://support.apple.com/kb/HT5357
Posted on 04-17-2013 05:56 PM
If you are going to use this AD Certificate with OS X 802.1x system configuration;
You might need to create a separate AD Certificate template for your Mac machines as you need to use "User principal name (UPN)" in the "Subject Name" field and untick all others for alternate subject name fields.
(Windows AD Machine Certificate Template normally uses the "DNS name" in the "Subject Name" field)