.mobileconfig and ADCertificatePayloadPlugin

I will post the script when I get a chance to sanitise it for you - Frost21 probably Monday or Tuesay of next week and post it here

I assume this is the best / only way to generate a computer certificate for mac?

I am implementing 802.1x on our network at the moment - The windows clients are up and running, and web enrollment is working.

Are there any other newer scripts to try / follow up on?

Id like to work on this tomorrow - most of my macs are 10.7.5 - has the looping issue been fixed in this latest version?

This is not the only way to generate a computer certificate for the Mac - you can generate a computer certificate by using the "Machine" template in the Active Directory Certificate Services web portal. This article describes a method that allows client computers to obtain their computer certificate using the ADCertificatePayload plugin. Although this is not the only way to obtain a machine certificate, installing it as part of a .mobileconfig profile is the only way that I know to allow 802.1x authentication before the loginwindow. Although it's probably possible to manually install the machine certificate, and configure the WiFi mobileconfig profile to use the computer certificate to authenticate over RADIUS, the payload plugin makes this much easier to deploy on a large scale.

The ADCertificatePayload plugin can be included in a .mobileconfig profile that can be used for machine authentication to 802.1x access points configured to authenticate clients using EAP-TLS. The mobileconfig profile must be imported as a "system" profile by following the steps in this article: How to request a certificate from a Microsoft Certificate Authority using the ADCertificatePayloadPlugin

I'd recommend following the steps listed in the article reference above to get the .mobileconfig profile (a working profile example is posted in this discussion) installed as a 'system' profile which allows your Macs to authenticate to the 802.1x network before the loginwindow. If the profile isn't installed as a 'system' profile (i.e., the WiFi config allows it to be used for System/Loginwindow [read: "before the Loginwindow"] authentication), your machines will only authenticate to RADIUS after successful user authentication.

The script above is only an example of how to automate this process - I'd recommend getting familiar with the steps necessary to get the certificate authentication working before trying to automate it.

Lastly - what's this looping issue you speak of? I don't see any control logic in the script above that would result in a loop?

Thanks for your prompt reply - I am about to start testing.

The looping was a bug I was referring to in the original post (not a coding issue):

step 2. In Lion 7.2 (only) Turn off the Cert checking to prevent a endless loop (a known bug should be fixed in a update) The machine must also have 1G of free disk space.

a. open Key Chain Access

b. Click on Keychain Acess in the apple tool bar

c. Select Preferences

d. Select the Certificates Tab

f. Turn off OCSP and CRL ( this can be turned back on after you get the Cert from ad)

I assume this may have only affected version 10.7.2 - I will update all machines to 10.7.5 as they provide better Active Directory intergration. (I also have an internal .local domain)

My last question would be that what happens when you near certificate expiry? Will there be a certificate renewal as per policy/template like the windows machines or would this also be a manual process?

Unfortunately in my case the only message I get is:

"There are no configuration profiles installed in the system domain"

I am only using the first example of the .mobileconfig file. I have around 30 Macs to connect to 802.1x so I wont go down the automation/scripting path, but I would assume this minimal file would have worked?

Did you import the mobileconfig file by double-clicking, or did you use the command 'sudo profiles -I -F /path/to/file.mobileconfig' as outlined in the ADCertificatePayloadPlugin support document? I believe that it's necessary to import those files using 'profiles' so that it installs in the system domain. Did you see odd output from the profiles command when you imported the mobileconfig file? If you're not sure, you can remove all profiles using 'sudo profiles -D', and try again...

Hi, I imported using the command line. I certinately want a SystemConfiguration payload.

I was logged on as a local administrator (the machine is already bound to AD, but I didnt think this would matter)

The kerberos ticket is valid as I can see an entry using klist -l

Maybe I have something wrong in the mobileconfig file, but its pretty basic so I cant see what could be wrong. I assume I can name the PayloadDescription PayloadDisplayName, PayloadIdentifier, PayloadOrganization, anything I like?

Matt_nz_Karamu wrote:

Hi, I imported using the command line. I certinately want a SystemConfiguration payload.

I was logged on as a local administrator (the machine is already bound to AD, but I didnt think this would matter)

The kerberos ticket is valid as I can see an entry using klist -l

Maybe I have something wrong in the mobileconfig file, but its pretty basic so I cant see what could be wrong. I assume I can name the PayloadDescription PayloadDisplayName, PayloadIdentifier, PayloadOrganization, anything I like?

Does the profile import without error using the profiles command? It might help to check the console for any output related to the import. I don't think that the tool would fail silently. You can enable verbose logging by passing the "-v" flag along with the other program arguments to obtain additional info.

You do not need to be logged in as a network administrator - a local administrator account should work fine. I'm pretty sure you need to be bound to AD for the domain controller to be able to manage your computer via machine records (and subsequently issue a certificate that allows it to authenticate itself)...

If you're getting a Kerberos ticket, the ADCertificatePayloadPlugin should be able to use that to authenticate against the certificate services web service, and generate a machine certificate when the profile is imported - are you able to locate a certificate or keypair with this machine's name in the keychain?

The mobileconfig names that you mention above are customizable...Some of the others (like the "PayloadType") should not be changed.

If your signing CA is using an untrusted certificate, you may need to set trust of that certificate first (the logs would probably mention this) in Keychain Access or by using the 'security' command line tool.

Thanks Edward, appreciate your time here.

Ok it was my mistake - with the confusing fonts I was using "-L" instead of "-I" (list rather than install), I noticed that as I went for -h and looking through the commands.

So now I have a x509 Certificate in system, look at Certification Authority its issued the correct certificate (its a duplicate of the Computer certificate)

Now the only strange thing, the actual connection - I specify EAP-TLS and X509, but no matter how I format the host/(mac_name) field I get 'invalid password'...

2 steps forward and one back!

I'd use the same name that the machine shows as the computername when running the 'dsconfigad -show' command (or as you see it in Directory Utility's AD plugin). You may need to append a dollarsign to the name (example: 'host/mymacbook$'), but I don't think that this is necessary

The computer should automatically join the wireless network once it imports the mobileconfig file with a working configuration. You should not be required to select the network from the list of available networks under the Airport menu item.

I think that you can turn on debug logging with this command:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int 1

Read the log at /var/log/eapolclient.en?.log using Console or another app to determine why the handshake fails.

Disable logging off with this command:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int 0

I tried the machine name as host/machine & host/machine.domain.suffix (and with/without $) but these didnt work.

So I tried with your script - minus the two payload certificates at the end (I already have the root CA certificate installed)

The cert still installs but I can see that it tries to connect to the SSID I specify, but then it times out. "A connection timeout occurred"

I thought I'd try my EAPTypes. I Tried 13 (TLS), 25 (PEAP) and 21 (TTLS) just taking a guess as I dont know which EAP type is preferred.

I am using WPA2/AES but not sure if <EncryptionType> matters. (I tried exporting a sample from the iPCU and WPA/WPA2 are joined.

I'll have another go tomorrow but its likely that Ill have to get some support in as my experience is at its limit.

Ill enable logging tomorrow too and see if I can spot anything unusual.

My Issue is with EAP.

NPS is configured for PEAP (Protected EAP) in which the Mac produces the error: "Negotiation Failed. Rquested EAP methods not available"

But when I configure NPS for Smart Card or other certificate (which I believe is EAP), then the Mac connects.

So EAP-TLS works, but PEAP-TLS appears not to, even when I select it in EAPTypes.

I wonder if I need to further configure something?

Mac OS X v10.7 should support PEAP connections that require user authentication (PEAPv0/EAP-MSCHAPv2), but I don't believe that this type of authentication is supported before the login window (because you're not authenticated as a user, and thus cannot provide the MSCHAPv2 [username/password] authentication credentials)...Connecting via PEAP should not require use of the ADCertificatePayloadPlugin (as only the server authenticates itself using a certificate - the clients do not use certs for authentication). In fact, as long as your client machine trusts the certificate that's being used to secure the TLS tunnel, you should be able to connect using PEAP by selecting the base station from the Airport menu item, and providing the user credentials. I believe that the only way to authenticate over 802.1x as a machine in Mac OS X is by using EAP-TLS.

Apparently, there is another version of PEAPv0 (PEAP-EAP-TLS) that uses protected EAP along with client-side certificates for inner authentication, but I don't think that it's supported in Mac OS X. Supported EAP types seem to be documented here: http://training.apple.com/pdf/WP_8021X_Authentication.pdf - it includes EAP-TLS, LEAP, EAP-FAST, TTLS (MSCHAPv2), and PEAP v0 (EAP-MSCHAPv2) and v1 (EAP-GTC). From what I've read, Microsoft seems to be one of the only entities supporting "PEAP-TLS" (PEAP-EAP-TLS)...I don't believe that it's been certified as an EAP type by the Wi-Fi Alliance?

You should be able to setup multiple policies within NPS (i.e., specify a policy for both PEAP and EAP-TLS authentication)...

I just found all this while trying to implement this on several (~30) Lion workstations I have in my environment. We are trying to issue certificates for VPN access to all machines. I just upgraded my test ones to 10.7.5 in case 10.7.4 was causing an issue.

I have followed the above instructions, but when I run the "/usr/bin/profiles -I -F /Users/mattb/caenroll.mobileconfig" the console session just hangs. If I run with -v I get feedback telling me that it is installing the profile, but then nothing else. Console confirms that it creates a private key but doesn't make it beyond that.

On the CA side, I get hundreds of 401 errors logged. I am running the kinit command, and confirming it is successful with klist. I also can't get it to stop once it starts. Even if I kill -9 the profiles command, the workstation keeps requesting a certificate from the CA. I have to actually restart the computer to get it to stop. When I restart, the profile shows up in the profiles control panel, but there is no certificate installed (and the CA confirms it never issued one due to the 401 errors).

Any thoughts? I have been working on this for days and am baffled at the moment.

Thanks

-Matt

The HTTP error code for 401 is "Unauthorized" - can you verify that you're able to obtain user/computer certificates manually? See if you can sign into the certificate server's web enrollment page (https://host.example.com/certsrv) using valid AD credentials... Once there, you should be able to verify that the "Computer" certificate template shows up under the "Certificate Template" pop-up.