Wireless security has been a hot topic over the last few years. Balancing security with deployment concerns can cause some sites to be less secure then they should be.
This session will cover the deployment of wireless security in large organizations and automation techniques to deploy 802.1x authentication with Mac OS X .
Focus on Active Directory and Microsoft's IIS certificate portal as well as Open Source alternatives will be covered.
36. RADIUS Testing
• radtest user password rad.ad.com 0 sharedscret
• radtest -t mschap user password rad.ad.com 0 sharedscret
Thursday, September 19, 13
37. Access Certificate Templates
• Replicated via Active Directory
• Access control lists for Certificate
Templates ( different then RADIUS)
Thursday, September 19, 13
38. Machine vs User template
curl -d
"CertAttrib=CertificateTemplate:
User%20Certificate"
...
Thursday, September 19, 13
39. Machine vs User template
curl -d
"CertAttrib=CertificateTemplate:
User%20Certificate"
...
Thursday, September 19, 13
40. Submit a CSR
curl -d "CertRequest=
${ENCODED_CSR}"
...
Thursday, September 19, 13
41. Submit a CSR
curl -d "CertRequest=
${ENCODED_CSR}"
...
Thursday, September 19, 13
73. ADCertificatePayloadPlugin
• Introduces on 10.7
• Supports Machine TGT style authentication
• Limited scope of OS Support deprecated in favor of DCE/RPC
Thursday, September 19, 13
76. Common Issues
• Machine joins with same Mac Address (join existing account)
• Certificate Expiration (set by template)
• eapolclient needs keychain ACL set in older operating systems
• security -k not honored in 10.7 or 10.8 ( Keys exportable )
Thursday, September 19, 13
78. Open Source Solutions
• openssl command line ( or I guess the Certificate Assistant)
• IPA - (389 Directory Server, MIT Kerberos, NTP, DNS,
Dogtag certificate system, SSSD and others.)
• http://www.freeipa.org
Thursday, September 19, 13
79. Puppet as a Certificate Authority
• puppet agent -t (submits the certificate signing request)
•puppet cert --sign agent.puppetlabs.com
•puppet cert --generate ipad.puppetlabs.com
Thursday, September 19, 13