Mac OS X WPA2 Enterprise Authentication Using a Microsoft CA - Part 2
This is the second in a series of posts describing the process of joining a corporate wifi network that uses a certificate from a Microsoft certificate authority with a Mac. There are four primary tasks to accomplish this:
- Bind the Mac to Active Directory
- Add the Microsoft CA to the keychain
- Request a Machine certificate from the CA
- Configure the wifi network using the certificate for authentication
Part 1 covered the Active Directory binding. Part 2 will cover the other 3 steps.
Trusting the Certificate Authority
You can request a certificate from a Microsoft CA without actually trusting the CA, however you will have problems trying to use theis certificate for wifi authentication unless the issuer is trusted. There are multiple ways to get the root certificate to trust. If you have a domain joined Windows machine handy then you can go to Start > Run and enter certmgr.msc. Find your corporate root CA under Trusted Root Certification Authorities > Certificates and then right-click and select Export from All Tasks. Note that it will not most likely not be named “Corporate Root CA”, this is just an example. If you don’t know what it is called, look for something with your company’s name in it.
Create another configuration profile to handle the certificate trust. Again, I recommend doing this as a stand-alone profile with a single payload so that it can be updated independently of other settings.
Requesting the AD Certificate
You will need to combine both the AD certificate request payload and the network configuration payload in the same configuration profile. This is the only way you can select the certificate as an authentication option for the network.
Apple has a KB article describing the AD certificate request. The example shown in Apple’s screenshot did not work for me. Whereas Apple’s example simply has a hostname, I had to fill in a complete URL in the format http://pki.kevinbecker.org/certsrv, as shown below. Figuring out the name of the CA also gave me some trouble. Looking at a certificate that had been issued to a Windows machine it would appear that the name of my company’s CA is “MyCompany Corporate Issuing CA”. At least in my case, this is incorrect. I found the correct name using adsiedit.msc as described in this Microsoft KB Article. You will also need to provide the credentials for an account that has rights to request certificates.
Again, in the same profile that has the AD Certificate payload, you will also have a payload to join your wifi network using that certificate. The Username for connection to the network needs to be the computer name followed by a dollar sign. The computer name can be specified in several places in OS X so it’s important to make sure you use the same name specified in the Sharing Preference pane and when binding to AD. In this example, I’m using a payload variable %ComputerName%. A complete list of payload variables can be found in this Apple KB Article. For the Identity Certificate select the AD Certificate name that you used in your AD Certificate payload.
Troubleshooting
Mike Boylan wrote an article at afp548.com covering this process on Mountain Lion. Following his guide, I still had some challenges, which I’ve tried to detail in this article, but his instructions for enabling logging were very helpful. The highlights are duplicated here:
If an error occurs when requesting the AD certificate, the profile will fail to install. To enable logging for the profile installation, and thus the certificate failure, issue the following commands in the terminal: sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1
You will need to log out or reboot for the change to take effect. Logging information will show up in /Library/Logs/ManagedClient/ManagedClient.log. which you can easily view with the Console app. To disable debug logging, delete /Library/Preferences/com.apple.MCXDebug.plist.
eapolclient handles the EAP-TLS negotiation when joining a WPA2 Enterprise network. Errors are logged to /var/log/system.log. You can also enable more verbose logging by issuing the following command in the terminal:
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int -1
The log(s) will be written to /var/log/eapolclient.[interface].log. To disable the verbose logging, simply change the value to 0.