IBM Security MaaS360

 View Only
  • 1.  macOS MDM Policy for 802.1x

    Posted Thu April 11, 2019 05:17 PM
    We are using Cloud Extender to push Symantec PKI user certificates to Windows and macOS devices for 802.1x authentication on a wireless network (RADIUS checks user certificate for validity). A Windows MDM Policy performs the necessary configuration to successfully allow a Windows device to connect to the wireless network, but we are struggling with macOS.

    1. macOS device is added to an IBM MaaS360 Device Group that has a policy attached including an EAP-TLS certificate-based WiFi profile
    2. The profile is delivered to the macOS device along with a certificate created by Symantec Managed PKI, requested through the IBM MaaS360 Cloud Extender. The relevant SSID is added to the Preferred Networks on the macOS device, at the bottom of the list (not ideal).
    3. The SSID is displayed as an 802.1x profile in the Network settings, which won't connect automatically or even manually until the SSID is removed from Preferred Networks
    4. To successfully connect using the new user certificate, the relevant SSID must be manually selected from the list of available WiFi networks, which generates an applet requesting the mode. Once the mode is changed from Automatic to EAP-TLS, the option to add an Identity is displayed from which the new certificate may be selected and EAP-TLS WiFi connectivity is established.
    5. Adding the Managed PKI root certificate as a "Trusted Certificate" causes even manual connection attempts to fail.
    Here are some of the fields that are configured in the MDM policy: Configuration > WiFi
    • Service Set Identifier (SSID) Test
    • Auto Join Yes
    • Hidden Network No
    • Network Type Standard
    • Encryption Type WPA
    • Accepted EAP types TLS
    • Inner Authentication Protocol (for TTLS) {blank}
    • Always Prompt User for Password No
    • Authentication Username {blank}
    • Use Per Connection Password No
    • Outer Identity Username {blank}
    • Trusted Certificates {blank}
    • Trusted Certificate Name {blank}
    • Allow Trust Exceptions No
    • Identity Certificate DigiCert Managed PKI - User Certificate
    • Proxy Type None
    • Disable Captive Network Detection No
    • Enable QoS Marking for Apps No
    Does anyone have any ideas on how to get 802.1x authentication working through pushing a macOS MDM policy? Adding an Authentication Username causes problems when using either %username% or %user_name%. I have even tried matching the username on the macOS device to the certificate Common Name to no avail.

    ------------------------------
    [Scott] [Shackleton] [CISSP]
    [Security Architect]
    [Unison]
    [San Francisco] [CA]
    ------------------------------


  • 2.  RE: macOS MDM Policy for 802.1x

    Posted Thu April 11, 2019 05:26 PM

    Scott

    Sorry for asking the obvious....

     

    My first question which you have tested already but just for clarification. You are able to connect the IOS device to the 802.1x network with out using the MDM policy which would then make it that the MDM is where the failure is occurring. I only ask this as you post does not mention this.

     

    Thanks

     

    Mike Vickers

    Office (907) 885-3072

    Cell (907) 374-6837

    Email mvickers@trailbossinc.com

    Website www.trailbossinc.com

     

    If you have a request for service or an issue with your computer please email servicedesk@trailbossinc.com.

     

    If you are not the intended recipient of this email, you are required reply to this email to let the sender know you received this email in error and then you are requested to delete this email

     

    Trailboss Logo

     






  • 3.  RE: macOS MDM Policy for 802.1x

    Posted Fri April 12, 2019 04:26 PM
    Michael,

    We do not have 802.1x setup for iOS, only Windows, which is working, and macOS, which is not. The macOS devices CAN connect to the SSID requiring the user certificate if one follows the steps I've outlined in my description of this issue.

    ------------------------------
    [Scott] [Shackleton] [CISSP]
    [Security Architect]
    [Unison]
    [San Francisco] [CA]
    ------------------------------



  • 4.  RE: macOS MDM Policy for 802.1x

    Posted Fri April 12, 2019 04:33 AM
    Hi Scott
    I'm assuming you set up the Macs with some sort of authentication account? If so you would need to check the format of the username to ensure it's in the same format as the WiFi authentication you are expecting (eg. %username% variable format). 
    If this doesn't resolve the issue I would suggest you contact Support to raise a ticket regarding this. 
    https://www-01.ibm.com/support/docview.wss?uid=ibm10869804

    ------------------------------
    Eamonn O'Mahony
    Technical Account Manager
    IBM Ireland
    Mulhuddart
    ------------------------------



  • 5.  RE: macOS MDM Policy for 802.1x

    Posted Fri April 12, 2019 04:24 PM
    Hi Eamonn,

    We want to use certificate based authentication only (802.1x with RADIUS) without other credentials. As I mentioned in the description, we've already tried %username% and %user_name% to no avail. I have a ticket open already but was hoping this fine community might beat IBM Support to an answer.

    ------------------------------
    [Scott] [Shackleton] [CISSP]
    [Security Architect]
    [Unison]
    [San Francisco] [CA]
    ------------------------------



  • 6.  RE: macOS MDM Policy for 802.1x

    Posted Tue April 23, 2019 04:36 AM
    Hi Scott
    Understood. Again it comes down to the format of the username required by RADIUS and the format of the username in enrolled devices (ie the authentication mechanism) that you have set up. If you want to check the latter you can look in Setup > Settings > User Settings > Basic and see which authentication mechanism has been used (ie local username on portal, directory AD/LDAP etc). Then if you verify a sample user and see if that will work with authentication. Failing this - and in the absence of more information - please go ahead and contact Support for assistance. 
    Best

    ------------------------------
    Eamonn O'Mahony
    Technical Account Manager
    IBM Ireland
    Mulhuddart
    ------------------------------



  • 7.  RE: macOS MDM Policy for 802.1x

    Posted Mon September 09, 2019 04:57 PM
    Did you get this resolved? We are in the process of trying to set up cert based wifi for Macs

    ------------------------------
    Kelly Fields
    ------------------------------