the ongoing struggle: man vs machine
Tag Archives: EAP-TLS
29/09/2015Posted by on
The recommended way to configure an enterprise wireless network is with certificates rather than a shared passphrase. This allows you to issue a certificate to each wireless device, and should a device be lost, revoking the certificate is all that is required to prevent access.
Searching the internet reveals that many guides focus on using the iPhone Configuration Utility to install a certificate and wireless profile on IOS devices as, or using MDM, as the only possible ways to enable apple devices to participate in this network. What I seek to outline is a 3rd way that relies on neither of these methods.
The reason for this guide is that the iPhone Configuration Utility is end of life, and will not work with IOS 8 and above. It has been replaced by Apple Configurator, which is an app only available on MacOS. Purchasing a Mac just to configure iPads is not an option for me.
I will details all steps to get a non-domain joined device (weather it be a PC, Tablet or Phone) to join the wireless network.
This guide assumes that you already have a functional WPA2-Enterprise EAP-TLS Wi-Fi network, NAP server and Certificate Authority. This network should already be functional with domain-joined PCs.
Create A Certificate Template
Stage 1 of this process is to create an appropriate certificate template, and enable the template on our Certification Authority.
- On your certificate server, open a blank MMC console, and add the certificate templates, and certification authority snap-ins.
- Under the Certificate Templates Node, Right Click the “Computer” template and click “Duplicate Template”
- Select “Windows Server 2003 Enterprise” As the template version, and click OK.
- On the General Tab, give the template a display name, template name, and set a validity period
- On the Request Handling tab, Set the Purpose to Signature and Encryption, set a minimum key size of 2048, and tick on the “Allow private key to be exported” checkbox
- (CRITICAL) On the Subject Name tab, check the option to “Supply in the request”, as shown below.
- On the Issuance Requirements tab, check the checkbox for “CA certificate manager approval”. This ensures that an administrator is involved in approving the issue of a certificate to non-domain (i.e. non-trusted) devices.
- Finally, on the Security tab, ensure an appropriate administrative user has rights to read, write and enroll certificates based on this template. Click Ok.
- Now we need to enable the certificate template on our Certificate Authority. Navigate to Certification Authority>Certificate Templates. Right click the node, and select New>Certificate Template to Issue.
- Select the template you created in previous steps and click ok.
Create Certificate Request
Stage two of this process is to request a certificate. I am doing this from my own domain-joined Windows 7 PC, however it may be better practice to have a workstation dedicated to this task. (Note that I have certificate auto-enrolment enabled for my domain, so my PC will automatically enrol certificates issued to it).
- Open up a blank MMC console as administrator (This should be the administrator you defined earlier on your certificate template). Add the Certificates (local computer) snap-in.
- Expand Certificates>Personal
- Right-Click “Personal”>All Tasks>Request New Certificate
- Click Next until you arrive at the Request Certificates Screen
- Check the mobile device template, and click properties.
- On the Subject Tab, fill out the certificate details. Common Name is required by the system, whilst other fields are optional, however I recommend you fill in at least these fields.
(e.g. username_IOSPhone1 for BYOD or asset number for corporate owned devices)
Note, the common name cannot be longer than a NetBIOS name (20 characters)
Organisational Unit (I.e. department)
- Click Ok, then enrol.
- The final screen shows that enrolment is pending. This is because on the template, we selected that approval was required before issuance. Click Finish.
On your Certification Authority Server, open up the Certification Authority Console (as administrator) and navigate to “Pending Requests”. Issue the certificate from the right click menu (Ensure that you have the correct certificate request).
Export Certificates with Key and Without Key
- Return to the certificates console on your local computer. Right-click on the Certificates>Local Computer root node, and choose “All tasks>Automatically enrol and retrieve certificates. Complete the wizard. (This works because certificate auto-enrolment is enabled in my domain).
- Navigate to Personal>Certificates. You will see your newly issued certificate.
- Right-click the new certificate, and select All Tasks>Export.
- Follow the wizard, choosing to export the private key, and include all certificates in the certification path. You will need to set a password for the certificates.
- Export a second copy of the certificate, this time with no key.
Map Certificate to an Account
Note: The normal authentication process involves the computer presenting the certificate (Common Name) to the Network Policy Server (NPS), which in turn will check if the computer account is enabled in AD DS, and that the certificate is valid. Because we are issuing computer certificates, logic would follow that we need to map the computer certificate to a computer account in active directory.
Devices such as iPads behave differently, where they treat all certificates installed as a user certificate, hence when passing the subject name to the NPS server, NPS will look for a user object in AD DS rather than a computer object, causing the authentication request to fail. When this occurs, you will see logs in the NPS server security event log. Keep in mind that devices from different vendors may behave differently, so watch out for this issue.
- Open up Active Directory and create a dummy user account. This account must have a username that matches the common name on the certificate. Passwords and other options do not matter for this purpose.
- If your NPS server has a group which contains authorised clients, add this account to that group.
- Select the new account, and choose Action>Name Mappings
- Add the certificate you exported without the key, and click ok.
Configure the IOS Device
Note: These instructions have only been tested on an IPAD 3 running IOS 9.0.1. Your mileage may vary.
Now to the heart of the issue. The previous steps are only an overview of the process to prepare a certificate for a non-domain joined device, and should be acceptable for most devices for WPA2-Enterprise EAP-TLS authentication. What follows are the steps to perform on the iPad (or iPhone) to enrol the certificate on the device, and use the certificate as the credentials to join the wireless network.
- Transmit the certificate that was exported (the version with the key) in any way possible to the device. Methods can include cloud storage, email etc. It’s entirely up to you. Just be cautious, as this file has the private key included. This needs to be protected, even though the key is protected by a password you set when you exported the certificate.
- Open the certificate file on the device. IOS will recognise the file as a certificate file, and begin the import process. Tap install.
- Tap install again.
- Tap install again.
- Enter the password to unlock the private key.
- Click Done. Your Certificate has now been imported into an IOS identity profile, without the aid of external tools.
- Finally, lets join the wireless network, with some minor changes to the usual process on IOS. Tap Wi-Fi, and tap on the network you want to join (being your EAP-TLS network, not some other passphrase based network).
- Notice that you are prompted for a username and password. Change the mode to EAP-TLS (Why does automatic not work…….?)
- The prompt has changed to username and identity. Username is optional, and we will leave it blank. Tap “Identity
- A list of installed identities is provided (I only have one). Tap the identity to use for the connection, which places a blue tick next to it.
- Tap “Enter Password” to return to the main Wi-Fi screen, then tap “Done”.
- You will now be asked if you trust the NPS server Certificate. Tap “Trust”.
- You are now connected.
A Quick Note about Revocation
Depending on how your Certificate Authority is configured, and the cache timeouts for Certificate Revocation List checking, there are two ways that can be used to prevent a device from connecting to the wireless network.
1. Revoke the certificate. – This is the most reliable method, as it ensures the certificate cannot be used again. The downside is that this can take a long time to take effect, as the various cache timeouts and CRL updates can take a long time.
2. Disable or delete the computer or user account that the certificate is mapped to – This takes effect immediately, however the certificate is still valid, and if used for other purposes, can still authenticate.
I recommend you perform both of these steps, just to be sure. Neither of these steps will kick an active Wi-Fi connection off the network, but they prevent a re-connection attempt.
I hope you find this helpful.
Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES) – http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx
Certificates and Exporting Private Key – https://social.technet.microsoft.com/forums/systemcenter/en-US/b24c4a4f-7b4c-42d3-b23f-58fcc18ddb80/certificates-and-exporting-private-key