Configuring EAP-TLS Wireless connections on macOS with Jamf

After procuring a new Ruckus Wireless network to replace our soon-to-be EOL Aruba equipment my attention turned to simplifying the current setup in preparation for the changeover. One of those tasks involved moving to policy-defined Wi-Fi connections for our internal devices.

eduroam for organisation owned devices

After configuring eduroam for BYOD I was intrigued by the possibility of using the same SSID to also onboard our college-owned devices; a mixture of Windows 10 domain-joined laptops and MacBooks on macOS Mojave. Now we have Jamf Pro fully operational the task looked much more manageable.

I decided to look into certificate-based authentication (EAP-TLS) to achieve this. All the information to do this with AD CS and macOS devices is out there but it’s a bit scattered so this post aims to bring it all together in one handy step-by-step guide.

Jamf Pro AD CS Connector

We’re using Active Directory Certificate Services (AD CS) to issue certs to our devices using an auto-enrollment policy. You have two methods to do this; either use the original Jamf payload or the new Jamf Pro AD CS Connector. We don’t have SCEP \ NDES enabled on our CA (which appears to be required for the older Jamf AD CS method) so the Connector looked a better option.

https://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.6.0/Overview.html
https://www.jamf.com/jamf-nation/discussions/29230/what-is-ad-cs-connector-used-for-what-is-it-s-purpose

The latter has the advantage that the machine in question doesn’t need to be directly connected to AD CS to renew its cert, which could prove useful in future as well.

https://docs.jamf.com/ad-cs-connector/1.0.0/Installing_the_Jamf_AD_CS_Connector.html
https://www.sysopnotes.com/archives/jamf-adcs-setup/

Setting up the link between Jamf and AD CS

When running the installation the PowerShell command will look something like

PS C:\Jamf\adcs-connector-1.0.0\ADCS Connector> .\deploy.ps1 -fqdn youradcs.internaldomain.co.uk -jamfProDN jamf.yourdomain.co.uk -cleanInstall

• youradcs.internaldomain.co.uk is the DNS name of your AD Certificate Services server
• jamf.yourdomain.co.uk is the DNS name of your Jamf Pro server

The Jamf instructions above are pretty simple for the first part of the installation but pay attention to some key points below:

1. the Jamf Pro AD CS Connector will only work on Server 2016, don’t even try it on anything older!
2. check, check and check again that you’ve saved the “Client cert keystore password” generated by the PowerShell script before continuing
3. when you configure the CA details in Jamf Pro make sure you use the name of the CA as it is displayed in AD CS
   this is really easy to miss as the instructions aren’t particularly clear, note the setup as per the YouTube walkthrough below
   (use this link to skip to the relevant section about naming the CA https://youtu.be/oRkpkN1Z3aI?t=612 )

Credit to Daniel MacLaughlin for making this and highlighting the key points 🙂

AD CS Certificate Template

If you already have a certificate template deployed for your Windows machines don’t try and re-use it for the Jamf Pro AD CS Connector. You need different settings when deploying with the AD CS connector as Jamf Pro will be requesting the certificates rather than the Computer itself.

Certificate Subject Name must be set to “Supply in the request”

Jamf server’s Computer Object in Active Directory needs to be given rights to Enrol \ Auto Enroll

Configuration Profile

Now go into Jamf and build a Profile to push out to your devices.

This part is important! You need to have all these elements defined within the same Profile for it to work!

• Certificate to be generated from AD CS
• Root CA for AD CS
• Root CA for RADIUS server
  (if different to AD CS Root, which was the case for our eduroam profile)
• Wireless network payload to actually make the connection

Defining the Certificate Payload

Enlarge the image below to see the Certificate payload more closely. You’ll see where I named the PKI CA wrongly at first but even after changing it to the proper CA name the UI doesn’t update. Still works though, which is the main thing (!)

Certificate subject is CN=$COMPUTERNAME.yourinternal.domain.co.uk
SAN name is $COMPUTERNAME.yourinternal.domain.co.uk

It appears having the SAN defined is important for the next part when you define the Wireless connection Payload.

Defining the Network Payload

When configuring the Wi-Fi connection Payload itself the next part is absolutely crucial. All credit to sbirdsley on Jamf Nation for this vital bit of info:

https://www.jamf.com/jamf-nation/discussions/27058/eap-tls-certificate-based-wifi-authentication

The username must be defined as follows or the connection will fail:

host/%ComputerName%.%AD_DomainNameDNS%

Also note the Identity Certificate you supply in the Network Payload must match the one you enter in the Certificate Payload. It’s on a dropdown so should be easy to match but if you have multiple entries be careful to pick the correct one.

Obviously, you’ll also need to set WPA2 Enterprise and TLS in the Security Type and Protocols sections.

Deploying the Profile and troubleshooting errors

Once saved the Configuration Profile should apply quickly.

Note: you will need to reboot for the connection to take effect. I’ve read elsewhere that the certificates are deployed to the System Keychain, which only connects at startup and if you try to manually connect once already logged in you’ll get errors as the user doesn’t have access to the required certificates.

Another common error you may see in the Jamf logs if the profile doesn’t apply successfully is this:

Unable to retrieve AD CS certificate for profile payload

If you receive this error double-check the name you entered in PKI settings when defining the AD CS server. If this doesn’t exactly match the name of your Certificate Authority (note this is the name of the CA itself, not the name of the server on which it’s installed) the profile won’t work.

DEP users beware

Also a further note for those deploying new machines via DEP. Because Configuration Profiles apply pretty much as soon as they possibly can there is a possibility you’ll get a certificate generated too early in the process with the wrong machine name i.e. “Administrator’s Macbook Pro” or something along those lines.

The best workaround we have for that so far is to name any manually-enrolled machines before starting the enrollment process and for brand new machines run machine naming as early on in the deployment process as possible. If you get a failed Wireless connection on a newly-enrolled machine check the certificates list in AD CS for any wrongly-named certificates. Revoke them and try again.

NPS logging

During the initial setup and troubleshooting process I found that our RADIUS server wasn’t giving me a great lot of detail from the default log files that get created by Windows NPS.

Turns out you can get a much more readable version in the Event Viewer by manually enabling some additional Audit Log settings – thanks Mike Nowak for the tip!

https://www.mikenowak.org/nps-authentication-events-not-showing-event-log/

 

eduroam on Aruba and Microsoft NPS – an end-to-end guide

After a meeting with our Jisc account manager a few months back we decided to join the eduroam service. This provides RADIUS based Wi-Fi access for both our students and any educational visitors who have an eligible account via their own institutions. This post outlines some of the infrastructure changes we put in place to provide the service using our Aruba controller and Microsoft NPS.

Basics

To find out more about the eduroam service and how to get started visit:

https://community.jisc.ac.uk/library/janet-services-documentation/eduroam
https://community.jisc.ac.uk/library/janet-services-documentation/joining-organisations-welcome-pack

• sign up via Jisc at https://www.jisc.ac.uk/eduroam
• when your account is ready log into the service portal https://newsupport.eduroam.uk/

External DNS record & IP address

Create an external DNS record and assign to an external-facing IP address that will be used by eduroam to contact your RADIUS server.

Firewall access

Ensure that your firewall rules are tight and locked down to the specific eduroam NRPS servers via their IP addresses. Only allow the RADIUS port 1812 to accept connections.

Note: you must allow ping on the eduroam external IP otherwise you will get server down errors in the support portal.

Also note the status page has a 24 hour refresh period so if you need to resolve a configuration issue don’t expect everything to go green straight away 🙂

NPS configuration

You’ll refer to the follow two links a lot during this process:

https://community.jisc.ac.uk/library/janet-services-documentation/eduroam-deployment-guide

Jon Agland has written an excellent step-by-step guide to configuring Microsoft NPS for eduroam. Follow the steps precisely and you won’t go wrong! You’ll also set up a CA along the way, again no drama as long as you follow the guide:

https://community.jisc.ac.uk/groups/eduroam/document/eduroamuk-microsoft-nps-configuration-guide

RADIUS attributes and roles

In order for the Aruba controller to be able to assign eduroam Home and Visitor traffic to specific VLANs you’ll need to send RADIUS Vendor-Specific Attributes across during authentication on the NPS server. For more background see these two very handy links:

https://community.jisc.ac.uk/library/janet-services-documentation/radius-attribute-filtering-microsoft-ias-and-nps
https://community.arubanetworks.com/t5/Security/Microsoft-NPS-custom-attributes/td-p/95999

Note the requirement to assign the attributes for VLAN assignment, which acts as a filter in case any incompatible ones come down from visiting organisations.

Aruba configuration

(replace XX with a short name for your organisation, or an identifier of your own choosing)

Click to access cbp-79_guide_to_configuring_eduroam_using_the_aruba_wireless_controller_and_clearpass.pdf

• Add RADIUS Server your-nps-server configure with shared secret etc.
• Add to Server Group XX_eduroam
• Add L2 Authentication > 802.1X Authentication profile XX_eduroam
• Ad AAA Profile eduroam_AAA
• Add User Roles eduroam-logon, eduroam-home and eduroam-visitor
• SSID Profile eduroam_SSID
• Virtual AP eduroam_VAP

Roles

By sending RADIUS attributes across after matching a rule on NPS you can set additional rules on eduroam traffic within the controller. For example we provide a “pot” of bandwidth for all users in a particular role to share, ensuring that our Internet connection doesn’t get saturated by BYOD traffic. We have separate bandwidth contracts for staff, students and visitors.

https://www.arubanetworks.com/techdocs/ArubaOS_81_Web_Help/Content/ArubaFrameStyles/Firewall_Roles/bandwidth_contract_config.htm

Configure the Attributes within your NPS Network Policies (under the Settings > Vendor Specific tab)

For a list of all supported Aruba VSAs visit
https://community.arubanetworks.com/t5/Wireless-Access/Assigning-users-different-vlan-subnet-based-on-AD-group/td-p/59210

Aruba PEF rules (firewall policies)

After ensuring that the mandatory eduroam applications are allowed to connected outbound we also ensure Guest Isolation is enabled (so devices can’t contact each other) and also that eduroam users can only contact specific internal services (such as Moodle) on defined ports using Aruba role-based firewall ACLs.

If you’re not using a tunnelled \ controller setup then the security rules will need to be done with switch ACLs instead.

Logging and troubleshooting

Part of the eduroam specification requires you to retain DHCP and RADUS logs for 3 months. Use the following to make the process easy on yourself…

NPS logs

NPS logs aren’t particularly human-friendly by default but with the help of this rather handy tool you can use PowerShell to search through them for particular usernames. Very handy if you’re experiencing authentication issues.

https://gallery.technet.microsoft.com/MS-NPSRADIUS-Logs-b68af449

You need to change the Log File format to IAS (Legacy) for the viewer tool to work correctly. Set the options as per screenshot below:

Once done you then browse the LogFiles folder, check the current file name and use the script as per below, subsitituing “AUser” for either a username or MAC address to search for. Very handy to diagnose connection errors or in the event you need to investigate activity on the eduroam network…

C:\Windows\System32\LogFiles\NAP_Logs_Interpreter.ps1 -filename C:\Windows\System32\LogFiles\IN1805.log -SearchData AUser -SearchDays 5

(use of the SearchDays switch is optional)

DHCP logs

eduroam also requires that you keep 3 months of DHCP logs to identify users and computers that have connected to the network. Fortunately there’s a handy DHCP log file retention script available that can help (as the standard Windows functionality is rather basic to say the least).

Credit to Jason Carter for the original script and Patrick Hoban for keeping a copy alive when the original blog post went down 🙂

https://patrickhoban.wordpress.com/2011/03/01/1352/

I made a couple of tweaks to make the script easier to edit and added some logging using the handy PowerShell Transcript method

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.host/start-transcript?view=powershell-6
https://ss64.com/ps/start-transcript.html

Download my edited script from OneDrive and replace the server name variable with the name of your backup target then follow these steps to implement it.

1. create a shared folder on your central logging server (or file server if you prefer)
2. create a service account user to run the Scheduled Task that will archive the logs.
   I recommend a standard Domain User account with a complex password.
3. add the account to the Backup Operators group on each DHCP server
   (this allows the script to access the files it needs)
4. create a Scheduled Task to run the script weekly

DNS server

I decided to run a separate DNS server for the eduroam clients. That way they only resolve the internal server names we want to expose (e.g. web server, VLE etc.) and it reduces any load on our main AD infrastructure.

I’m a fan of the CentOS distro so set up a basic server and added BIND

yum install bind bind-utils -y

Then configure BIND via /etc/named.conf using https://opensource.com/article/17/4/build-your-own-name-server as a template. We use the IBM Quad9 DNS resolver (set as a forwarder) to ensure clients don’t connect to known malicious domains.

Walled Garden for CAT

If you don’t have an onboarding tool such as Aruba ClearPass, Ruckus CloudPass etc. then the eduroam CAT tool will be your friend. Initially you’ll need to configure CAT with your eduroam certificate, organisation logo etc. to create the profiles used for configuration. Follow the guide below to set up your organisational profile:

https://wiki.geant.org/display/H2eduroam/A+guide+to+eduroam+CAT+for+institution+administrators

Once done the site used for configuring clients is available at the dedicated URL https://cat.eduroam.org/

Unfortunately Android users need to download an additional app to install a configuration profile on their device. Because of this I’ve personally found it easier to tell users to download the eduroam CAT app from the Play Store as their first action then find the Havering College profile in there, rather than bouncing back and forward from browser > app > browser.

https://play.google.com/store/apps/details?id=uk.ac.swansea.eduroamcat&hl=en_GB

 

Onboarding SSID

I tried a few ways to get the eduroam CAT site to automatically open when users connect to a setup \ guest SSID, so that we can easily onboard them when they first arrive at the college.

However sometimes client devices get too clever for their own good and if they see a Captive Portal with redirect then try and open up the CAT tool within their own Captive Network Assistant mini-browser. The problem with this being that the CNA browser doesn’t support certain features & scripts, leading to the CAT page appearing but not doing very much as the profile doesn’t download or install as it normally would.

https://alexmeub.com/apple-captive-network-assistant-macos/

Although you may be able to do some funky URL redirection with roles on your Wi-Fi system also bear in mind some users may just want to connect to wireless to use apps and won’t touch the browser at all. At this point it seems the old fashioned methods may work best and clear signage telling users to visit the CAT site may be necessary (perhaps cat memes may well be a valid tactic?!)

In Aruba you can use the “Walled Garden” feature to set up an SSID that only allows access to the CAT website

https://www.arubanetworks.com/techdocs/ArubaOS%206_3_1_Web_Help/Content/ArubaFrameStyles/Captive_Portal/Creating_Walled_Garden_A.htm

However note that you will need to add a series of Google domains to the whitelist to ensure Google Play access is also allowed for Android users to get the eduroam CAT app.

check the About > About eduroam CAT page for the most up-to-date domain list as the Google URLs in particular change from time to time

REQUIRED

• cat.eduroam.org (the service itself)
• crl3.digicert.com, crl4.digicert.com (the CRL Distribution Points for the site certificate), also TCP/80
• ocsp.digicert.com (the OCSP Responder for the site certificate), also TCP/80
• android.l.google.com (Google Play access for Android App)
• android.clients.google.com (Google Play access for Android App)
• play.google.com (Google Play access for Android App)
• ggpht.com (Google Play access for Android App)

RECOMMENDED for full Google Play functionality (otherwise, Play Store will look broken to users and/or some non-vital functionality will not be available)

• photos-ugc.l.google.com
• googleusercontent.com
• ajax.googleapis.com
• play.google-apis.com
• googleapis.l.google.com
• apis.google.com
• gstatic.com
• http://www.google-analytics.com
• wallet.google.com
• plus.google.com
• checkout.google.com
• *.gvt1.com

Documentation

A mandatory requirement of joining eduroam is that you provide a support page for users looking to connect to the service.

2.5. eduroam Service Information Website

2.5.1. Requirements

1. Participants MUST publish an eduroam service information website which MUST be generally accessible from the Internet and, if applicable, within the organisation to allow visitors to access it easily on site.

Creating a Moodle course to house documentation and guides seemed a good fit for this seeing as our Student Intranet is hosted there.

http://student.havering-college.ac.uk/course/view.php?id=1428

If you’d like to use our course as a template for your own site get in contact and I’ll send a copy over.