EAP-TLS + RADIUS + Public Certs == iPad Certificate Authentication!

snovak
Contributor

Hi everyone,

I figured out how to get EAP-TLS wireless authentication working for iPads using publicly signed certificates with the Client Authentication OID.

Here’s the basic rundown:

  • Import InCommon CAs into the NTAuth certstore of the radius servers
  • Create Radius Connection Request Policy - Made a copy of the ‘Use Windows authentication for all users’
    • Added a User Name condition so it would only apply for my specific connection (the CN of the cert)
    • Removed all authentication methods but ‘Microsoft: Smart Card or other certificate’
    • Added a Manipulation rule for User Name to transform ‘Sam Novak’ to ‘snovak@mydomain.edu’
    • I guess radius wants user principle name or something
    • https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/
  • For user certs (Critical step!)
    • Have copy of the certificate (just the cert, no key)
    • Find user in AD
    • Right click > Name Mappings
    • Add the cert to the user
  • For machine certs (which will drop the devices in FS)
    • Change the manipulation rule to replace ‘.mydomain.edu’ to ‘$@mydomain.edu’

Once I got the certs, I imported it (as a p12 with both the cert and key), plus the certs for my RADIUS servers into a configuration profile, added a wireless configuration profile, checked EAP-TLS and selected my client/authentication cert.
I also added my RADIUS certs as 'trusted' for the connection so it wouldn't prompt users to trust them when the profile got installed.

Now for us, I’m only (currently anyway) deploying these to groups or carts of iPads, because those areas should be keeping track of who is using iPads at what time for auditing purposes. It would probably be possible to use SCEP, and Jamf API and powershell to automagicify the whole process, but this was good enough for me, considering how soon school is starting (and that could create a TON of radius policies).

Let me know if you want/need any more detail on how to set this up and I’ll be happy to help!

3 REPLIES 3

djrory
Contributor

"I also added my RADIUS certs as 'trusted' for the connection so it wouldn't prompt users to trust them when the profile got installed."

For the life of me, no matter what I add to the profile and different combinations of certs and tick boxes and CAs etc the iPads ALWAYS prompt the user to trust my RADIUS cert. Did you ever come across this issue?

cleverleys
Contributor

This is quite complex, and does depend on your setup.

We have a wireless profile, with a root CA, and a template cert with $SERIALNUMBER and $USERNAME as fields, which is then populated by Jamf ADCS that talks to an internal CA.  Both certs and the profile and install trusted on the device.

and the first time you join the SSID do you get a trust prompt? As far as I can decipher this prompt is unavoidable...