Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6642: Getting started with 802.1X for Mac - Configuration Overview

Centrify Identity Service, Mac Edition ,  

17 June,16 at 11:09 PM

Applies to: Centrify Identity Service, Mac Edition

 


This is a general step-by-step guide to configure 802.1X wireless authentication for Mac. This document example covers EAP-TLS authentication using a workstation certificate with Microsoft Network Policy Server running on Windows 2012. Configuration for Windows 2008 is performed in a similar manner. Other RADIUS servers and authentication protocols are not discussed. 

This guide is intended as a general overview for most new deployments and may not cover all deployment scenarios. The following sections are recommended to be performed in the order listed to help ensure a smooth and successful deployment.

In addition to the information below, the Centrify Community offers an excellent blog post with a video how-to series for quick and easy setup:

       Centrify Blog – 802.1x Setup: http://centrifying.blogspot.com/2015/02/mac-os-x-extras-using-centrify-and-your.html

Video Setup Series:



Process Summary:
  1. Install Components on Windows Server
  2. Configure Certificates
  3. Create auto-enroll certificate templates for Workstations and Users
  4. Configure Wireless AP 
  5. Configure Network Policy Server 
  6. Configure 802.1X Group Policy 
  7. Troubleshooting

 

 

Install Components on Windows Server

The following server roles or features must be installed on a Windows Server: 

  • Active Directory domain services
  • Active Directory Certificate Services 
  • Network Policy Server (NPS) (Windows Server 2008/2012) 
  • Group Policy Management Console (GPMC) 
  • Centrify Suite 2015 or above
  • Centrify group policy templates for Mac systems

Note: For 802.1X wireless connections, a wireless AP that Supports 802.1X (RADIUS / WPA / WPA2) is also required

 

Active Directory Domain Services

This is generally already in place for most organizations. Active Directory Domain Services is not installed by default.
To install, run Server Manager -> Add Roles  -> Active Directory Domain Services

Certificate Services

Certificate Services is required to create the trusted root CA certificate, Domain Controller certificate, and Mac
computer certificate. 

Certificate Services is not installed by default. To install, run Server Manager -> Add Roles  -> Active Directory Certificate Services

When choosing components, make sure "Certificate Authority" is selected. Other components are optional.
Use default settings for the role setup wizard. 

RADIUS Server

Microsoft RADIUS server is part of Network Policy Server (NPS) on Windows Server 2012. 

NPS is not installed by default. To install, run Server Manager -> Add Roles  -> Network Policy and Access Services

When choosing components, make sure "Network Policy Server" is selected. Other components are optional.
Use default settings for the role setup wizard.

Group Policy Management Console (GPMC)

GPMC is required to configure 802.1X GP and deploy certificates. 

GPMC is not installed by default until you install Active Directory. To install without Active Directory, run Server
Manager -> Add Features -> Group Policy Management


Install Centrify Suite 2015 or higher

Centrify Server Suite and the associated group policy templates are required to manage group policy for Mac
systems. Customers can download the package from the Centrify Download Center (login required).

After downloading the .iso or .zip file, mount or extract the files and launch the Autorun application. This will present
the Getting Started windows where administrators can view release notes and the Quick Start Guide.

To start the installation wizard, click “Access” under Centrify DirectManage (64-bit). The installation wizard will
prompt for a license key – administrators can enter an existing Centrify license or contact Centrify Sales for a
new or evaluation license key.

Note: Administrators may choose to install Centrify DirectManage Access for Mac as an alternate to the complete set of Centrify Suite components.

User-added image
 

Install Centrify Suite group policy templates

The Centrify group policy templates are installed from within the Group Policy Management Editor.
Please review KB-2600: How to install new Centrify Group Policy templates for Mac for installation instructions



Configure Certificates

Several certificates are required for 802.1X authentication: 

  • root CA certificate
  • RADIUS Server certificates
  • Workstation certificate and private key (for TLS) 

After installing Certificate Services, the following steps must be performed for certificate-based authentication: 

  • Deploy root CA certificate via group policy 
  • Get certificate for RADIUS server 
  • Create auto-enroll certificate template for Computer 


Deploy root CA cert via group policy

After installing Certificate Services, a root CA cert is generated automatically. On Windows Server 2012/2008,
the system recommends a name automatically. For this example document, we will use the root CA of “CENTTLS-DC01-CA” 

Administrators need to: 

  1. Export root CA certificate
  2. Import certificate into group policy
  3. Enable certificate auto-enroll 


Export the root CA certificate

The root CA certificate needs to be exported as a file. 

  1. On a Domain Controller, open the Local Computer certificates console
  2. Expand -> Console Root -> Certificates (Local Computer) -> Personal -> Certificates
  3. Export the root CA cert (ex: CENTTLS.DC01.CA) to a .cer file using all the default settings (i.e. don't export private key, export as DER encoded binary X.509) 

Note: The .crt cert file can also be copied directly from %systemroot%\System32\CertSrv\CertEnroll 

User-added image

Import the certificate into group policy

Use GPMC to import the certificate file. 

  1. On a Domain Controller, run GPMC
  2. Create a new GPO and right-click to edit
  3. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings  -> Public Key Policies -> Trusted Root Certification Authorities
  4. Import the root CA cert file. 

User-added image


Enable certificate auto-enrollment group policy

To deploy workstation certificates automatically to Mac computers, administrators must enable the computer policy for
certificate auto-enrollment. This can be performed using the same GPO created or used for the previous step. 

  1. On a Domain Controller, run GPMC; 
  2. Create a new GPO and right-click to edit
  3. Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> Certificate Services Client - Auto-Enrollment
  4. Set the policy option to "Enabled"

To deploy user certificates automatically to Mac computers, administrators must enable the user policy for certificate
auto-enrollment. 

  1. On a Domain Controller, run GPMC; 
  2. Create a new GPO and right-click to edit
  3. Navigate to User Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> Certificate Services Client - Auto-Enrollment
  4. Set the policy option to "Enabled"

User-added image

Note:
if "Renew expired certificates, update pending certificates, and remove revoked certificates" or "Update
certificates that use certificate templates" is checked, after the next GP update or reboot, the Domain Controller
certificate will be replaced by the Domain Controller Authentication certificate. The Domain Controller Authentication
certificate template will supersede the Domain Controller cert template. 

The Domain Controller certificate can be used only when neither checkbox is checked.    

After policy configuration, perform gpupdate on the Windows server that hosts the RADIUS server so certificates 
can auto-enroll. 

 

Create auto-enroll certificate template for Workstations and Users

Administrators will need to create an auto-enroll certificate template by duplicating the existing "Computer" template. 

Please refer to KB-2798: How to setup a workstation-authentication certificate for auto-enrollment for Mac OS X for
complete step-by-step directions to create a computer certificate template.

Create auto-enroll certificate template for Users

Please refer to KB-4275: How to setup a user-authentication certificate for auto-enrollment for Mac OS X for complete
step-by-step directions to create a user certificate template.

After creating the certificate template, be sure to make note of the certificate name (not the display name) as it
will be required when configuring the 802.1X group policy options.

Computer certificate template example. Be sure to note the certificate template name as it will be used to configure the group policy options.

User-added image


 

Configure the Wireless Access Point

The wireless AP need to support 802.1X authentication, which means it must support one of the following security modes: 

  • WPA Enterprise
  • WPA2 Enterprise
  • 802.1X WEP (the name can be different, for example RADIUS) 

To configure the wireless AP, you need to enter wireless network security type WPA Enterprise, IP address of RADIUS server RADIUS
port 1812, and the shared secret password Mjolnir between it and the RADIUS server. 



 

Configure Network Policy Server

Administrators should confirm Network Policy Service is correctly configured with a RADIUS client (such as a wireless access point)
and a Network Policy that allows for secure wireless connections using certificate-based authentication.

RADIUS client example:

Launch the Network Policy Server console. Click “NPS (Local)” and select “RADIUS server for 802.1x Wireless or Wired Connections”
from the dropdown list then select “Configure 802.1X”

User-added image


Select the “Secure Wireless Connection” option and provide a name for the policy:

User-added image

 

Click the "Add" button to add a RADUIS client:

User-added image


Enter the client details including name, IP address and shared secret between the client the the Network Policy Server (NPS)

User-added image


On the Configure 802.1X page, select Microsoft: Smart Card or other certificate and then click the “Configure” button

User-added image
 

Select the domain controller certificate – be sure NOT to select the root CA certificate. If multiple certificates are listed, use the expiration
date to match the certificate on the CA.

User-added image

 

On the Specify User Groups page, add the group that will be granted access via this connection. If no groups are selected, the connection
will be available to all clients. For connections using a workstation certificate, add the Domain Computers group. For connections using a
user certificate, add Domain Users or other specific group.

User-added image

If using a workstation certificate, add the Domain Computers group. If using a user certificate, be sure to add the Domain Users group.

 
 

Configure 802.1X Group Policy

Administrators must configure a profile via group policy that will be used to deliver configuration settings and the
certificate payload to Mac computers. The following example uses a computer certificate for secure wireless authentication:

User-added image

User-added image

Note: Be sure to enter the certificate template name and not the template display name in the policy settings

User-added image


 

Troubleshooting

Many things can go wrong when configuring Mac 802.1X. Mac for the first time. To assist with troubleshooting, please refer to the
following Centrify knowledge articles:

If the certificate does not appear in Keychain Access, see:
If experiencing issues and have version 5.2.2 of the Mac agent installed, please reference the following KB:


For additional information not covered in this guide or troubleshooting assistance, please review the
Centrify Online Help or Customer Support Portal at https://www.centrify.com/support/customer-support-portal/

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.