IBM Security MaaS360

 View Only

  • 1.  Computer authentication with 801.1x TLS/EAP

    Posted Thu December 15, 2022 07:42 PM
    Hello All! I am trying to get my macbook connected to our internal wireless that uses 802.1x TLS/EAP. I currently use machine authentication using certificates and I am trying to get the mac to acquire a computer identity cert using the CE connector with microsoft NDES. I have downloaded the root CA and NPS server certs and applied them to the profile. Has anyone successfully accomplished this and do you have a guide? I am going to use apple configurator and use a trial of two canoes certificate request to make sure it works without using maas360 first.

    ------------------------------
    Phil Bradley
    ------------------------------


  • 2.  RE: Computer authentication with 801.1x TLS/EAP

    Posted Sun December 18, 2022 11:13 PM
    Just an update on this. I need to pass custom attributes to the certificate request to get the macbook ad computername in the subject. I'm not sure that wifi identity certificates will pass custom device attributes to cloud extender so that they will be sent to ndes?

    ------------------------------
    Phil Bradley
    ------------------------------

    Original Message


  • 3.  RE: Computer authentication with 801.1x TLS/EAP

    Posted Mon December 19, 2022 04:30 AM
    Hi Phil
    Generally speaking there are 2 ways you can achieve this: 
    1. Extract a generic certificate from your NDES and use this to identify all devices. 
    2. Extract a certificate template which allows for creation of user-based or device-based (specific) certificates. 
    The first option is simpler and doesn't require Cloud Extender. The second does require Cloud Extender. I believe the 2nd option is what you need based on your description. 
    Here is the documentation, please have a look: https://www.ibm.com/docs/en/maas360?topic=modules-certificate-integration-module
    The following training on the Security Learning Academy is quite comprehensive (log in with your IBMid): https://www.securitylearningacademy.com/enrol/index.php?id=5645
    For IBMid verification and password reset: https://myibm.ibm.com

    Best

    ------------------------------
    Eamonn O'Mahony
    Technical Client Success Manager
    IBM Security
    Dublin, Ireland
    ------------------------------

    Original Message


  • 4.  RE: Computer authentication with 801.1x TLS/EAP

    Posted Mon December 19, 2022 09:51 AM

    Hi Eamonn,

     

    Thanks for the update on this. I tried this back a year ago without success. I would like for this to be a hands off procedure for the end user. I do have cloud extender and NDES integrated currently. Here is what I have accomplished so far.

     

    Created WiFi profile that deploys the internal Root CA and NPS server cert to the Macbooks. Verified certs are passed down to the client.

    WiFi profile has the enterprise SSID defined and TLS/EAP in the profile. Verified WiFi profile is created on client.

     

    Now when I try to connect, it asks for the identity certificate. I can use software like two canoes to request the certificate from my Microsoft CA but this is a manual process. Once I get the identity cert, it then connects to the enterprise wifi.

     

    I have the identity certificate defined in the WiFI profile as well but I need to pass the computer name as a variable for the subject name. I can define variables in MAAS360 but apparently this can only be used in certain areas. I have requested this feature on the IBM site.

     

    I'm not sure if the common certificate will work. How will the clients get the common private key?

     

    Thanks,

    Phil

     

     

     




    Original Message


  • 5.  RE: Computer authentication with 801.1x TLS/EAP

    Posted Mon December 19, 2022 10:49 AM
    Hi Phil
    The PK should be part of the certificate, this is where my knowledge reaches in terms of what the PKI can do.
    I would encourage you to review the documentation to ensure your setup is correct and you are retrieving a certificate from a template successfully. 
    Please test following this page: https://www.ibm.com/docs/en/maas360?topic=module-testing-certificate-integration
    If still not working please contact Support to have them investigate what the issue is. 
    Best

    ------------------------------
    Eamonn O'Mahony
    Technical Client Success Manager
    IBM Security
    Dublin, Ireland
    ------------------------------

    Original Message


  • 6.  RE: Computer authentication with 801.1x TLS/EAP

    Posted Mon December 19, 2022 05:30 PM

    Hi Eamonn,

     

    Just an update. I created a profile with apple configurator and was able to successfully apply this to the Macbook and connect to wireless. This has to be something in MAAS360 not passing or setup correctly. I have reviewed all of the CA integration documents and my test certificate works but as I stated before, I need to pass the computer name in the request.

     

    Phil

     

     

     




    Original Message


  • 7.  RE: Computer authentication with 801.1x TLS/EAP

    Posted Tue December 20, 2022 04:45 AM
    Hi Phil
    Thanks for coming back. 
    Just to clear off the possibility that this is unexpected behaviour and not correct, could you raise a Support ticket for this? 
    This will help clarify. 
    Thanks

    ------------------------------
    Eamonn O'Mahony
    Technical Client Success Manager
    IBM Security
    Dublin, Ireland
    ------------------------------

    Original Message