jflanakin
New Contributor III
New Contributor III

Welcome to Part 3 of our discussion of Certificates, SCEP, and 802.1x. In our previous post we took a look at how Active Directory Certificate Services works. In our final part in this series, we will explore SCEP and 802.1x.

What is SCEP?

  • SCEP = Simple Certificate Enrollment Protocol

What does SCEP do?

  • SCEP is a certificate management protocol that helps IT administrators issue certificates automatically.
  • SCEP is used by a Windows Server Role called NDES or offered as a service by a third-party Certification Authority (CA).

What is NDES?

  • NDES = Network Device Enrollment Service
  • NDES is a Windows Server Role Service which works with the Active Directory Certificate Services Role to distribute certificates via SCEP.

What does NDES do?

  • NDES allows software on routers and other network devices (e.g., Macs and iPads) running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP).

How does NDES work?

  • NDES uses the Microsoft Internet Information Services (IIS) web server to allow supplicants to connect and request certificates.
  • When a request comes in it is processed by a web application that runs via IIS. This application is what handles the SCEP authentication flow and passes the request to the Certificate Authority, then passes the signed certificate back to the supplicant.

How is SCEP used with Active Directory and NDES?

  1. A SCEP profile is created and distributed to a computer via MDM. This profile includes information on what information the certificate should contain and how to create the Certificate Signing Request (CSR).
    1. The NDES server is configured to match incoming requests to a Certificate Template on the CA server. Only one Certificate Template can be used with one SCEP server.
  2. During the installation of the profile, the Certificate Signing Request is sent by a supplicant (a computer or device, or by Jamf Pro in some configurations) to the Certification Authority. For Active Directory environments not using AD CS Connector, NDES is the service that listens for these requests on behalf of the Certification Authority.
    1. There is a form of authentication used with SCEP called a challenge which prevents unwanted supplicants requesting a certificate. This is seen as the Challenge Type in configuration profiles.
    2. Dynamic Challenges require authentication by a service account to receive the challenge password, which is then used to authenticate the CSR.
    3. Static Challenges require only a pre-shared key which is used to authenticate the CSR.
    4. Other challenge types require information determined by the certification authority used.
  3. Once the request has been authenticated by SCEP, it is sent to the CA which verifies that the certificate request is valid, then creates and signs the certificate based on the certificate template specified by the SCEP server.
  4. Once signed, the certificate is sent back to the supplicant (or to Jamf Pro, then to the supplicant) and installed on the device.

What is NPS?

  • NPS = Network Policy Server
  • NPS is a Windows Server Role which includes the RADIUS role service. This role allows admins to create and enforce organization-wide network access policies for connection request authentication and authorization.

What is RADIUS?

  • RADIUS = Remote Authentication Dial-In User Service

What does a RADIUS server do?

  • RADIUS is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service.
  • RADIUS servers allow organizations to utilize a central database (or directory) to maintain user profiles that remote servers and services can share for authentication to network resources.
  • RADIUS clients are the network access points that computers or devices connect to (wireless routers, VPNs, etc.).

What does NPS do?

  • NPS allows admins to centrally configure and manage network access authentication and authorization.
  • NPS performs centralized authentication, authorization, and accounting for wireless, authenticating switch, remote access dial-up and virtual private network (VPN) connections.
    • When admins use NPS as a RADIUS server, they configure network access servers, such as wireless access points and VPN servers, as RADIUS clients in NPS.
  • Admins can also configure network policies that NPS uses to authorize connection requests, and admins can configure RADIUS accounting so that NPS logs accounting information to log files on the local hard disk or in a Microsoft SQL Server database. 

What is 802.1x?

  • 802.1x is a standard that defines how to provide authentication for devices that connect with other devices on local area networks.
  • 802.x networks utilize a RADIUS server for authentication.
  • Two popular authentication protocols used with 802.1x networks are:
    • EAP-TLS – Certificate-based authentication.
    • EAP-PEAP – Credential-based authentication (username/password).

While 802.1x is nothing more than an authentication standard, it is often used as descriptor for a wireless network which uses 802.1x authentication.

What does an 802.1x network do?

  • 802.1x networks are Wi-Fi, wired, or virtual (VPN) networks which require a specific kind of authentication to access.
    • EAP-TLS authentication utilizes TLS encryption provided by the authentication server and authenticates the user or device based on a pre-installed certificate.
    • EAP-PEAP authentication utilizes TLS encryption provided by the authentication server to encrypt the username and password during authentication. It often uses Active Directory authentication rather than a Pre-Shared Key.

How does macOS work with 802.1x networks?

Information provided from Apple Documentation: Connect Apple devices to 802.1X networks

  • During the 802.1X negotiation, the RADIUS server presents its certificate to the device supplicant automatically.
    • The RADIUS server certificate must be trusted by the supplicant by either anchoring trust to a particular certificate or to a list of expected hostnames matching the certificate’s host. Even when a certificate is issued by a known CA and listed in the trusted root store on the device, it must also be trusted for a particular purpose.
    • This is either done manually when joining an enterprise network as the user is prompted to trust the certificate for the connected Wi-Fi network, or in a configuration profile.
  • Once the RADIUS server is authenticated to the supplicant, the supplicant then sends its own credentials based on the security type required by the RADIUS server.
  • There are two basic types of 802.1x configurations used with macOS:
    • User Mode: This mode, the simplest to configure, is used when a user joins the network from the Wi-Fi menu and authenticates when prompted. The user must accept the RADIUS server’s X.509 certificate and trust for the Wi-Fi connection.
      • This is often not configured with Jamf Pro because admins want the user workflow to be as simple and painless as possible.
    • System Mode: System Mode is used for computer authentication. Authentication using System Mode occurs before a user logs in to the computer. System Mode is commonly configured to provide authentication with the computer’s X.509 certificate (EAP-TLS) issued by a local certificate authority.

Common network and configuration profile terms

Some information provided from Apple Documentation: Connect Apple devices to 802.1X networks

  • SSID = Service Set Identifier. Otherwise known as the name of a Wi-Fi network.
  • Pre-Shared Key – A password or string of random characters which is known and distributed for authentication. Otherwise known as the Wi-Fi password you give to friends when they come over to your home to hang out.
  • Hidden Network – A network which does not broadcast its SSID. You must know the name of the network and connect to it manually (or be provided with the network information via MDM).
  • Security Type – Encryption used when connecting to wireless networks.
    • WEP – Wired Equivalent Privacy. The oldest wireless security protocol. No longer recommended to be used as it provides weak security.
    • WPA – Wi-Fi Protected Access. An older method of encrypting connections to wireless networks. Authentication typically happens on the router which broadcasts the wireless network
    • WPA2 Personal – The 2nd version of WPA. A common encryption method used for small office and home wireless networks. More secure than WPA due to advances in security technology.
    • WPA3 Personal – The 3rd and currently newest version of WPA which everyone will eventually migrate to. More secure than WPA2 due to advances in security technology.
    • WPA/2/3 Enterprise – An implementation of WPA protocols which utilizes a RADIUS server for authentication rather than the router which broadcasts the network.
  • Username – The username used to connect to the network. Only used with EAP-PEAP or similar user credential authentication protocols.
  • Identity Certificate – The certificate used to identify the user or computer which is connecting to the network. This is the authentication credential which is passed on to the NPS/RADIUS server to evaluate the connection attempt.
    • It’s not necessary to establish a chain of certificate trust in the same profile that contains the 802.1x configuration. For example, an administrator can choose to deploy an organization’s certificate of trust in a standalone profile and can put the 802.1x configuration in a separate profile. This way, modifications to either profile can be managed independently of one another.
  • Trusted Certificates – If the RADIUS server’s leaf certificate is supplied in a Certificates payload in the same profile that contains the 802.1x configuration, the administrator can select it here. This configures the client supplicant to connect only to an 802.1x network with a RADIUS server presenting one of the certificates in this list.
    • This field is commonly misconfigured by selecting certificate payloads included with the profile to establish the chain of trust for the identity certificate.
    • This field should ONLY have a value to configure supplicants to connect to RADIUS server presenting the exact same certificate as what is selected here.
  • Trusted Server Certificate Names - Use this field to configure the supplicant to connect only to RADIUS servers presenting certificates that match these names.
    • This field is commonly misconfigured by entering the FQDN of CA’s or the CN of the identity certificate or its chain of trust.
    • This field should ONLY have a value to configure the supplicants to only connect to a RADIUS server which presents a certificate with a CN which matches the value of this field.

How does an 802.1x profile connect a computer to a Wi-Fi network?

This is a simplified explanation to use as a high-level overview of the process. Connecting to 802.1x networks can be as simple or complex as a network administrator wants it to be.

  1. A configuration profile is created in Jamf Pro with a network payload.
    1. If using EAP-TLS for the security type it also includes at least one certificate payload for the identity certificate.
    2. Depending on the admins environment there may also be a SCEP payload.
  2. The profile is installed onto a target supplicant in its scope. This installs the necessary certificate to authenticate to the RADIUS server for an EAP-TLS network.
  3. If configured to auto-connect, the supplicant will then attempt to connect to the 802.1x network with the information provided in the profile.
  4. The supplicant contacts the wireless router and requests a connection. This connects the supplicant to a RADIUS server.
  5. When communicating with the RADIUS server, the supplicant will be presented a certificate identifying the RADIUS server.
    1. Depending on the profile configuration, either the certificate common name (CN) or the certificate itself must match to the configured Trusted Server Certificate Names or Trusted Certificates.
  6. Once the RADIUS server is authenticated to the supplicant, the supplicant then sends authentication credentials (username/password for EAP-PEAP or the identity certificate for EAP-TLS) to the RADIUS server.
  7. If this is a RADIUS server installed under NPS on a Windows Server, NPS evaluates the authentication credentials and security policies, then accepts or rejects the authentication attempt based on those security policies. The credentials should then be authenticated by the RADIUS server.
  8. If accepted, the RADIUS server communicates with the wireless router to accept the supplicant's credentials.
  9. The supplicant is now connected to the 802.1x network.

Due to the way the EAPOL client which handles 802.1x authentication on macOS devices is written, if a payload includes certain settings and the macOS computer cannot connect to the network due to a misconfiguration somewhere, strange things start happening on the computer.

If Trusted Certificates or Trusted Certificate Names are configured with the profile payload it prevents the computer from interacting with the user to connect to the 802.1x network. However, macOS computes will attempt the connection in a different way, often confusing users and admins to what exactly is broken.

That’s all for this series, thank you for reading!

11 Comments
rastogisagar123
Contributor II

Love the way you recalled my learnings!!

sharif_khan
Contributor II

Hi 

Our Jamf Pro server is on prem and we use organization certficate for ISE authentation along with DiGi cert, root cert and subordinate cert. Last year we upgrade the cert and that went well with the following workflow.

1. Pushed new certficate with a profile

2. Create an Smart group for presence of new profile on the machine

3. Run Inventory update on the machine via a policy that way they machine will be a part of the new smart group

4. Exclude new smart group from old profile that pull old cert automatically.

5. Bump the network port by our networking team (optional)

6. Restart the machine. (optional)

But this year I am trying to follow the same process but everytime getting a prompt to select the cert from following window which means if we deploy this process then user will has to select the cert themselves to connect to network.

Screenshot 2023-05-18 at 7.35.31 AM.png

We don't want that. Is there anyone facing this issue. Any information will be helpfull.



Maclife
New Contributor III

@sharif_khan have you ever sorted this issue out? I have exactly the same issue where I do have to manually select the computer certificate to authenticate and then it works. But how can I make this automatically ?

snowfox
Contributor III

@Maclife @sharif_khan 

Hi, Here are some things I encountered when setting up SCEP.

To get the computer to automatically authenticate instead of prompting the user, ensure you have the following setting set in the 'Network payload' of the SCEP Configuration Profile as the Username (username for connection to the network):

host/$SERIALNUMBER

Screenshot 2023-08-15 at 09.29.18.png

Also ensure on the 'Trust tab' that you have your Root and Intermediate certificates ticked as trusted under 'trusted certificates' and your network authentication server domains should also be listed as trusted under 'Trusted Server Certificate Names' 'certificate common name'.  A wildcard can be used to cover all servers:

*.myserverdomain.mycompanydomain

Also ensure you have added/uploaded your Root and Intermediate certificates to the SCEP Configuration Profile under 'Certificates'.

The certificate chain of trust (Root, Intermediate, Leaf) must be complete on both the client machine and the network authentication server in order for an automated successful handshake to take place between the two. 

So the Root and Intermediate certificates need to be present on both.  The dynamically generated leaf certificate is added on the fly at the time of Configuration Profile installation whether you are using the Jamf server as SCEP Proxy or are using Direct SCEP via Configuration Profile.  It does not need to be manually added to the Configuration Profile.

I hope this points you in the right direction.

Maclife
New Contributor III

@snowfox thanks for the info but we are not using SCEP instead the AD CS identity certificate 

sharif_khan
Contributor II

Hi Everyone

I able to fix that during this year cert update. We use AD cert (internal). All you need to upload all the certs to Jamf and also common name and also select all those AD cert including root cert under trust tab but remember if you are updating device cert then change the name of the cert because if they has the same name then that will not do automatically swap. So, that is the trick in my case. But obviously every environment is different. I hope I able to make you understand.

whiteb
Contributor II

@snowfox 

This was helpful info. Piloting 802.1x currently. What NAC are you using out of curiosity?

We're trying to use Windows Radius / NPS but running into an issue where it doesn't recognize macOS hostnames (presented in the SCEP payload Subject) because they aren't AD-bound. Seeing some people say to create dummy objects in AD for TLS to work.

We'd use $USERNAME, but our shared devices don't have an AD username associated with them in 'User & Location'.

So as I see it we have three options;

1. Ditch Windows Radius / NPS

2. Create dummy objects in AD for our shared computers

3. What if I programmatically populate an AD service account to these computers in 'User & Location' so I can use the $USERNAME variable with them? Trying to gauge how much of a security risk that is.

bcbackes
Contributor III

@whiteb I'm no expert on this subject but I worked with Jamf Support to get ours up and running. We are using Cisco ISE and currently have our devices bound to AD but will be unbinding them so we can use Jamf Connect so I had to get a workflow that would work for either or. 

For our SCEP payload we are using "CN=$SERIALNUMBER,O=$PROFILE_IDENTIFIER" for the Subject and "ID:JAMF:GUID:$MANAGEMENTID" for the Subject Alternative Name. This works very well in our environment. Especially since we renamed our devices after enrollment completes and it triggers a policy to rename. We tried using hostname but it changes after the rename so that would cause issues when the certs are issues before the rename.

We switched to serialnumber and that works perfectly for us since that doesn't change. For the Network payload we are not using a "username" at all. We are using the identity certificate and selecting the name we configured in the SCEP payload. 

mani2care
Contributor

This is want I was looking it 

it’s correct solution I think using that 

For our SCEP payload we are using "CN=$SERIALNUMBER,O=$PROFILE_IDENTIFIER" for the Subject and "ID:JAMF:GUID:$MANAGEMENTID"

 

and I have some questions is there any way to get the list of certifications via extension attributes and filter it out expired certifications and delete them.

second get the with in 30 days how many certifications are going to expire.

third find the duplicate certifications and delete the old one if found.

is this possible and any one using or having the script extension attributes.

snowfox
Contributor III

@whiteb Every environment will be different.  We are using Aruba ClearPass and Microsoft SCEP/NDES to issue certificates via Jamf Pro as SCEP Proxy.  SCEP authentication is certificate based machine authentication.  ClearPass doesn't care if the device is bound to AD or not.  It's looking for a valid & complete 'Certificate chain of trust' (root cert, intermediate cert & dynamically generated leaf cert) installed on the Mac.  And as only an enrolled device can have that installed, it is trusted and allowed on the network.  If we don't use the username field setting, we get prompted for user name and password at the desktop.  Putting in the host/ command tells ClearPass that the computer will be authenticating, not the user. 

whiteb
Contributor II

@snowfox That's fair. I was mainly wondering if you were using NPS / Windows Radius. I was struggling to get Macs to authenticate but have it figured out now (using $USERNAME with leaf cert). We're also using SCEP/NDES with Jamf as the proxy.

@bcbackes Thanks for the reply. Sounds like you're also fortunate to have a proper NAC in place with Cisco ISE. As the other poster said, this is all fairly environment-specific so your setup doesn't really apply to ours (I was looking to see if anyone else with similar setup to ours). But after recently realllly diving into 802.1x, it is interesting to hear about other people's setups! We're using NPS for Radius and devices get SCEP certs with $USERNAME that matches to a Username in AD. Was a bit tricky to get working, not designed to work with macOS, and outdated, but.. free.