iOS 802.1x Enterprise wireless

cleverleys
Contributor

Hello,

We are investigating the possibility of joining our iPad estate to our 802.1x enterprise wifi, utilising Microsoft network policy servers and Meraki wireless.
Information about this topic looks to be sketchy. I've seen some rather old articles from 2012 using NDES, but nothing recent. I've seen other old articles that mention utilising authentication via username and password, but we are looking at device based authentication in the same way as our Windows clients rather than user based.

I'd be grateful for any signpost, information, tit-bit that anyone has to offer as information looks to be scarce!

Thanks!

5 REPLIES 5

Eyandell
New Contributor II

You may need to contact Cisco/Meraki support. I use Aruba Clearpass and I needed to setup one of my Tomcat servers as an Endpoint Context Server to import known devices to Clearpass. Once they were known it was just a matter of setting the end point to say Endpoint = Corp = True and setting up a role / policy to allow access. I checked Cisco's site and it's not friendly, good luck.

k3vmo
Contributor II

If you find any more information - I'd be grateful. Using NPS and 802.1x in our environment, as I was told, requires a bind to AD in order to get the machine certificate to pass back to NPS for identification as a valid network device

Eyandell
New Contributor II

https://social.technet.microsoft.com/Forums/ie/en-US/a47aff4e-83b0-4367-b632-5f445c54f028/how-to-enforce-certificatebased-authentication-in-nps?forum=winserverNAP

I'm looking at NPS and it seems like the best-ish way to do it would be to setup a wireless service account for your iPads. Then in JAMF create a wireless network payload that includes both the Meraki and NPS certificates.

8ddaaef26bae4cb68d5833423b3aefa7
4d7303a9e33349d9afdff40ee94f059e
8ebfb784b7f741959762a842d9eb71e5

It would still be using user and cert based authentication but it would get them online. We used a system similar to this for our classroom iPads for a while but have since gone to 1 to 1 iPads and users logging in as themselves.

EDIT- You will want to install this profile on the devices before deployment. Which means a single AP with an open SSID or PSK network will need to be created. I just had it in my office for setup then deactivated it when not in use. It's also possible to use a current users wireless logon to get network access, on reboot the iPad should switch to the profiled user account.

snovak
Contributor

I figured out a way to do 802.1x RADIUS authentication using public SMIME certificates and AD accounts: https://www.jamf.com/jamf-nation/discussions/29021/eap-tls--radius--public-certs-ipad-certificate-authentication

Basically I was able to have placeholder accounts in AD that I mapped a certificate to, and then used a configuration profile to say 'authenticate with this certificate'. Not super straightforward, and might not be scalable based on your security requirements, but it is possible :)

LNGU1203
New Contributor II

If you are deploying Certificate manually then you can do a configuration profile with WIFI / CERTificate payloads.
however, if you want to automate the process it gets very complicated. make sure LDAP is in place in case you want to deploy identity certificate. then AD CS Connector setup for Jamf to request certificate in your machine's behalf. then, there is attaching the user to the machine..etc. all the above requires no Binding to AD.