802.1X Profiles...Help

Nix4Life
Valued Contributor

Hi Folks;
we just setup Radius/AD authentication. having an issue with Laptop carts. Trying to setup compute level authentication, but it seems to fail. can anyone share their setup/settings( step by step if possible) I tried making the profile in Casper, but not sure if its downloaded. the profile contained Network setting, Certificate and AD settings.

Thanks in advance

LS

7 REPLIES 7

bbergstein
New Contributor III

How are you getting the certs? SCEP, RDC, static, or something else altogether?

Our basic setup is a profile in the JSS that retreives a cert from our CA based on the AD object of the computer. This is outlined quite nicely in both JAMF's and Apple's documentation (see the admin guide or http://support.apple.com/kb/HT5357). We have a custom template set up on our CA to generate the certs.

sprovost
New Contributor III

bbergstein: can you post where at apple there is a DETAILED explanation of 802.1x in regards to apple 10.8?
I am running into issues with the user logging on to the laptop and get wireless access authentication working properly.
too many settings!
thanks
stephen

Nix4Life
Valued Contributor

BB;
That's the article i used. if I am local admin,I can download cert No Problem. if I am a network user, it just hangs, even thought I just joined it as the local. admin. these are lab machines no I guess I am looking for the computer tho be authenticated, and the user logs in and it will join the network with out asking for credentials. Thanks for all you input thus far

Kumarasinghe
Valued Contributor

802.1x System and Loginwindow for Wi-Fi

Make the OS X Machine authentication to RADIUS as well as Loginwindow authentication

1) First we have to download the CA certificate chain from Active Directory Certificate Service
  Go to: http://Your-AD-Server/certsrv/ and click "Download a CA certificate, certificate chain, or CRL"

2) Click "Download CA certificate chain" It will download a cert chain called "certnew.p7b"

3) Double-click the "certnew.p7b" to get it to "Keychain Access"

4) Double-click the imported Certificate (e.g- AD-CA1)

5) Expand "Trust"

6) Select "Alway Trust" for "When using this certificate" to trust this cert for all

7) Right-click on the certificte (AD-CA1) and select Export..

8) Export as (.cer) certificate and Save to Desktop

9) Go to Keychain and select Thawte Premium Server CA (this is only in our environment to trust the eduroam certificate so change settings to suite your Wi-Fi settings)

10) Export the .cer Certificate file to Desktop
 
11) Then we have to Create a new AD machine certificate template on the AD cert server . Easiest way of doing this is to duplicate the Windows Machine (named WorkstationAuthentication in our environment) template and name it for Mac

12) Right -click and select "Duplicate Template"

13) Select "Windows Server 2003 Enterprise"

14) Then Edit the Template as in the next step

15)

(i)Name it like "OSX Workstation Certificate" this will automatically create the Template Name without spaces. You should use the name without spaces in "AD Certificate" payload in JSS.

(ii) In the "Subject Name" field, tick "User principal name (UPN)" and untick all others for alternate subject name.

(iii) In the "Security" field, make sure you have privileges for Domain Computers to "Enroll" and "Read"

 
16) Create a new Configuration Profile in JSS
     Give a name and description and make it "Computer Level"

17) Go to "AD Certificate" payload and fill these information;

Description: AD Certificate Certificate Server: Your-AD-Server (AD Cert Server host name) Certificate Authority: AD-CA1         (AD certificate name which we downloaded earlier) Certificate Template:OSXWorkstationCertificate   (newly created AD machine certificate template for OS X machines)

18) Go to "Certificate" payload and upload the Thawte Premium Server CA and AD-CA1 certificates we downloaded earlier.

19) In the "Network" payload fill these information;

Network Interface: Wi-Fi Service Set Identifier (SSID): Your Wi-Fi SSID (e.g.- eduroam) "Auto Join" ticked Security Type: WPA / WPA2 Enterprise (might be different on your environment) "Use as a Login Window configuration" ticked Protocols: TLS, PEAP (might be different on your environment BUT You need TLS to handle the AD cert, so leave TLS ticked no matter what) Identity Certificate: AD Certificate (this is the AD certificate payload we created in Step 17) Inner Authentication: MSCHAPv2 (might be different on your environment)

20) Select Trust area;
     Select (tick) Thawte Premium Server CA in Trusted Certificates (might be different on your environment)
     Select (tick) AD-CA1
     Click the + icon and type eduroam.myedu.edu as Trusted Server Certificate Names (change to suite your environment)
     Allow Trust Exceptions Unticked

21) Then go to: https://yourjssurl.com/exportOSXConfigurationProfile.html and Download the created profile as .mobileconfig

22) Test the installation of the certificate (test machine has to be bound to AD first);
command in terminal:
/usr/bin/profiles -I -F /path/to/mobileconfig

If you get "profiles install for file:'xxxxxxxxxxxxxxxxxxxx.mobileconfig' and user:'(null)' returned -319 (The 'Active Directory Certificate' payload could not be installed. The certificate request failed.)" ERROR; You may also want to make sure that you have an Kerberos ticket: $ klist -l If not make one: $ sudo kinit -k computername$ then you'll be able to install the profile with /usr/bin/profiles -I -F /path/to/mobileconfig command

23) I normally package this and deploy the Configuration Profile at imaging.

24) Upload it to Casper Admin and give Priority 20 (so it will install at the very end - will give enough time to bind the computer prior to this installation as it requires the machine to bound to AD first)

Done.

--------------------------------------------------------------------------------
Thank God.
"For the Lord gives wisdom; from his mouth come knowledge and understanding" (Proverbs 2:6)
--------------------------------------------------------------------------------

Nix4Life
Valued Contributor

Thanks again Kumara. I will try this today

Nix4Life
Valued Contributor

Thanks Kumara;

I can get the CA installed. At the login screen I see the drop down for my wireless network, I choose it . yet there is an amber light next to the network login. I try with my credentials and cannot login. If i use the local admin account, I can get in, and I see the wireless appear to be searching for a network, even though it has been set in the profile. Using 8.64, Radius, TLS/PEAP. I've followed the Apple Article. Anyone have any ideas?
TIA

LS

azbikowski
New Contributor II

If you're looking to get this pushed out to Mountain Lion and above in an automated fashon for Macs joined to AD, see the discussing I'm having on the Spiceworks forum. I've got this all working in my environment, just need to get the documentation finished and ready for sharing.

http://community.spiceworks.com/topic/400699-mac-802-1x-eap-tls-with-windows-adcs