Using AD CS for machine-based EAP-TLS on macOS

active directory Sep 18, 2019

I've written before about using user credential based auth for getting a machine connected to a WiFi network using EAP-PEAP. Recently we did some work on getting our machines to auth using EAP-TLS. I'm documenting some of the pitfalls we came into, and posting a sanitized version of our final client-side profile. Unfortunately, I was not involved with configuring the AD CS side of things, but a colleague and I did find issues in our implementation from our perspectives as endpoint administrators.

AD CS Issues

  1. The first issue we encountered was that our AD CS template name contained spaces. Apparently, the ' ' character in the name causes the request to fail.
  2. The second issue we encountered was the need to have the dNSHostName attribute set on the computer's AD object.

Profile Creator

I created the profile in Erik's profilecreator tool. It's just about the best tool I've used for making profiles and I absolutely will shill for it. This is one place it needs a little bit of love, because the Wireless profile refers to the client certificate by essentially referring to "GUID of profile component that requests machine certificate", and the tool does not natively offer the ability to refer to other portions in that manner.

Profile Breakdown

The profile provides three services:

  1. The profile gets a certificate from AD CS.
  2. The profile makes the certificate a machine should expect when connecting to the WPA2 certificate trusted
  3. The profile adds a wifi network configuration for our WPA2 Enterprise network and has it accept the certificate added above for the RADIUS server and use the requested certificate to connect.

The Profile

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadContent</key>
			<data>
			YOUR X509/PEM RADIUS CERT HERE
			</data>
			<key>PayloadDisplayName</key>
			<string>Certificate</string>
			<key>PayloadIdentifier</key>
			<string>GUID</string>
			<key>PayloadOrganization</key>
			<string></string>
			<key>PayloadType</key>
			<string>com.apple.security.pkcs1</string>
			<key>PayloadUUID</key>
			<string>60EDDC99-F33D-4D91-A93C-601977638A13</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
		<dict>
			<key>AllowAllAppsAccess</key>
			<true/>
			<key>CertServer</key>
			<string>YOUR CERT SERVER FQDN HERE</string>
			<key>CertTemplate</key>
			<string>NAME_OF_CERT_TEMPLATE_HERE_REQUIRES_NO_SPACES</string>
			<key>CertificateAcquisitionMechanism</key>
			<string>RPC</string>
			<key>CertificateAuthority</key>
			<string>YOUR CA NAME HERE</string>
			<key>CertificateRenewalTimeInterval</key>
			<integer>14</integer>
			<key>Description</key>
			<string>AD Machine Cert</string>
			<key>EnableAutoRenewal</key>
			<true/>
			<key>KeyIsExtractable</key>
			<false/>
			<key>Keysize</key>
			<integer>2048</integer>
			<key>PayloadDisplayName</key>
			<string>AD Certificate</string>
			<key>PayloadIdentifier</key>
			<string>com.company.fqdn.24B78032-17F2-4705-86C1-D36ABE51273C.com.apple.ADCertificate.managed.44169206-CBE1-43FD-BD03-C1F7533CC2CA</string>
			<key>PayloadOrganization</key>
			<string></string>
			<key>PayloadType</key>
			<string>com.apple.ADCertificate.managed</string>
			<key>PayloadUUID</key>
			<string>44169206-CBE1-43FD-BD03-C1F7533CC2CA</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
		<dict>
			<key>AutoJoin</key>
			<true/>
			<key>EAPClientConfiguration</key>
			<dict>
				<key>AcceptEAPTypes</key>
				<array>
					<integer>13</integer>
				</array>
				<key>PayloadCertificateAnchorUUID</key>
				<array>
					<string>60EDDC99-F33D-4D91-A93C-601977638A13</string>
				</array>
				<key>TLSTrustedServerNames</key>
				<array>
					<string>YOUR TRUSTED SERVER NAME HERE</string>
				</array>
			</dict>
			<key>EncryptionType</key>
			<string>WPA2</string>
			<key>PayloadCertificateUUID</key>
			<string>44169206-CBE1-43FD-BD03-C1F7533CC2CA</string>
			<key>PayloadDisplayName</key>
			<string>Wi-Fi</string>
			<key>PayloadIdentifier</key>
			<string>com.company.fqdn.24B78032-17F2-4705-86C1-D36ABE51273C.com.apple.wifi.managed.24B78032-17F2-4705-86C1-D36ABE51273C</string>
			<key>PayloadOrganization</key>
			<string></string>
			<key>PayloadType</key>
			<string>com.apple.wifi.managed</string>
			<key>PayloadUUID</key>
			<string>24B78032-17F2-4705-86C1-D36ABE51273C</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>SSID_STR</key>
			<string>YOU_WIFI_SSID_HERE</string>
			<key>SetupModes</key>
			<array>
				<string>System</string>
			</array>
			<key>TLSCertificateRequired</key>
			<true/>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>Machine Cert Request w/ WiFi Configuration</string>
	<key>PayloadIdentifier</key>
	<string>com.company.fqdn.40C664B3-63F3-4E28-9204-9579DB0DC8DC</string>
	<key>PayloadOrganization</key>
	<string>YOUR ORG | DEPT NAME HERE</string>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>40C664B3-63F3-4E28-9204-9579DB0DC8DC</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Ryan Buzzell

Computer Systems Engineer @ Eastman School of Music | Find me on the macadmins slack @rbuzzell https://macadmins.herokuapp.com/