You’ve been tasked with ensuring the Mac’s on your domain have the correct certificates and magic tricks to get 802.1x to work, and let’s face it no matter how much as an Admin you want to admit it there is no elegant way to get this configured in a fully automated process (in my experience). So here’s how I’ve managed to get it working for Wireless connections:

Prerequisites

  1. Copies of your Root-CA and Issuing Certificate Authorities Certificates (.cer formats)
  2. A User certificate template name configured for EAP-TLS Authentication
  3. AD service account
  4. Secure Build Network with line of sight to Active Directory

Wireless EAP-TLS 802.1x Configuration

  1. Head over to your Casper JSS and create a new configuration profile
  2. Give it an appropriate name, select a relevant category and select User Level to apply the policy
  3. Enable the Certificates option and upload your Root-CA and Issuing Authority Certificates
  4. Once all your certificates have been uploaded, head over to the AD Certificate payload section to configure
  5. Now configure the AD Certificate Payload with the following:
    1. Description: [Something Descriptive]
    2. Certificate Server: [AD Certificate Server]
    3. Certificate Authority: [Issuing Certificate Authority Certificate Name]
    4. Certificate Template: [AD Certificate Template Name]
    5. Certificate Expiration Notification Threshold: 14
    6. Username: [AD Service Account Username]
    7. Password & Verify Password: [AD Service Account Password]
    8. Allow access to all applications: Checked
  6. Once your AD Certificate is configured, head to the Network payload section to configure
  7. Now configure the network payload with the following:
    1. Network Interface: Wi-Fi
    2. SSID: [Your organisations SSID]
    3. Auto-Join: Checked
    4. Security Type: WPA/WPA2 Enterprise
    5. Set the following:
      • Protocols:
        • Accepted EAP Types:: TLS
        • Trust: [Check all of your uploaded Root-CA and Issuing Authority Certificates]
    6. Username: [Leave Blank]
    7. Identity Certificate: AD Certificate
  8. Save the Configuration Profile

Scripting the Wireless 802.1x EAP-TLS Configuration Profile

Now at this point you can use the JSS to automatically deploy the configuration profile and hope there are AD users logged into the Mac’s, for me I wanted to control how and when the configuration profile is installed. The best scenario for me is utilising the “Once per user per computer” run frequency so in order to do this, I’d have to install the certificate as the user at login. Here’s how I did it:

  1. Download the configuration profile created earlier from the JSS
  2. Package the configuration profile with Composer, this is just to place the configuration profile in a temporary location on the Mac, for my example I place the file in a TEMP folder in the Users > Shared location
  3. Upload your package to the the JSS using Casper Admin
  4. Next, make a script that does the install for us, using your favorite text editor or using the Scripts section within the JSS:
    •  The script:
      #!/bin/sh
      loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`
      echo $loggedInUser
      sudo -u $loggedInUser /usr/bin/profiles -I -F /Users/Shared/Temp/User\ Certificate-802.1x\ Wireless\ Configuration.mobileconfig
      sudo -u $loggedInUser rm -f /Users/Shared/Temp/User\ Certificate-802.1x\ Wireless\ Configuration.mobileconfig
    • Breaking the script down:
      • Finds the logged in user on the Mac
      • Tells us who the logged in user on the Mac is
      • Runs the profiles install command with admin privileges
      • Remove the Configuration Profile after install
  5. Save the script just created in your JSS/upload your script to the JSS using Casper Admin

Automating the Wireless 802.1x EAP-TLS Configuration Profile

  1. Now you’ve got the Package and Script created, lets go ahead and make our Policy
  2. Create a new policy with an appropriate name, the login trigger and the Once per user per computer execution frequency checked
  3. Now configure the packages section and add your package containing the configuration profile
  4. Next, add the script in the scripts section
  5. Then, configure your policy scope
  6. Hit, Save
  7. Test!

Final Product

  1. Have the user connected to secure build network with line of sight to AD
  2. Log into the Mac with the users AD crednetials
  3. The user will be prompted asking for administrator credentials for the Configuration Tool, this is to make changes to the user’s logon keychain, if the user is not an administrator on the Mac use a system administrator account
  4. To confirm the process has worked you can check the Keychain section to ensure the Root-CA and Issuing Authority Certificates have been deployed and User AD Certificated requested*
    • Note: You will only see one user certificate, you’ll see two in my example as this will be covered in the Wired post coming shortly
  5. Head over to the Wi-Fi Preferences in System Preferences and confirm the EAP-TLS connection is active

 

I hope this post has helped you guy’s get the Wireless EAP-TLS 802.1x setup in your environment, of course there’s probably better methods of getting this to work or if you’ve got any ideas on improving my process drop a comment below.