Baking Certificates into OSX Lion for 802.1X
20th December 2011
This is tricky. No question about that.
In order to configure OSX Lion to use 802.1X authentication over WiFi, to login, and also connect (without prompting for credentials), we need to generate a .mobileconfig parameter file (plist).
These files are a bugger to craft by hand, so what we'll do is use the Enterprise iPhone tool, to build one which can be used for a deployment to an iPhone, or OSX Lion laptop/desktop.
Apple have a bunch of stuff about Enterprise Deployment, here.
The file you want, however, is the iPhone Configuration Utility 3.4 for Mac OS X.
You'll need to run this on an Apple device, Macbook Air, or MBP, or iMac, etc.. As far as I know, you can't do this from an iPad.
1. Download and install from the DMG.
Run the Configuration Utility .
Click "Configuration Profiles" in the selector on the LHS.
Select "New", and you should get a blank new profile.
Enter some details.
"Identifier" is a reversed format of your profile, in a kinda java package-style notation, ie, wifi.wibblesplat.com becomes com.wibblesplat.wifi; Simples!
As part of the Profile, you can configure all sorts of settings that will be installed on the target device. Scroll down through General, Passcode, down to "Credentials".
When you hit "Configure", you can choose a certificate file.
At this point, we're going to pause here, and quickly recap how to create self-signed SSL certificates.
Open Terminal, and create a new directory that we can shove all the SSL related gubbins into.
cloud-white:~ tom.oconnor$ mkdir wibblesplat
cloud-white:~ tom.oconnor$ cd wibblesplat/
Next, we need to generate a private key.
cloud-white:wibblesplat tom.oconnor$ openssl genrsa -des3 -out wibblesplat.key 1024
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for wibblesplat.key:
Verifying - Enter pass phrase for wibblesplat.key:
You should enter a passphrase here, but we can strip it off later.
Now we've got the key, we'll use that to generate a Certificate Signing Request (CSR)
cloud-white:wibblesplat tom.oconnor$ openssl req -new -key wibblesplat.key -out wibblesplat.csr
Enter pass phrase for wibblesplat.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:England
Locality Name (eg, city) :London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Wibblesplat Ltd
Organizational Unit Name (eg, section) :R&D Department
Common Name (eg, YOUR name) :*.wibblesplat.com
Email Address :
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :
Of course, you need to fill in the CSR with your *own* information, but that goes without saying, doesn't it? Do you sign your cheques with "Signature" in a cursive hand?
Next, we'll strip the passphrase from the key, because it makes it a bugger if you use this certificate for Apache, or whatever, and it will always block and wait for the key if you've not stripped it.
cloud-white:wibblesplat tom.oconnor$ openssl rsa -in wibblesplat.key -out wibblesplat.unprotected.key
Enter pass phrase for wibblesplat.key:
writing RSA key
Now we've got the key and the CSR, we can generate a SSL Certificate. You can specify anything from 1 day to 7304 days (20 years) for the validity. For CA Roots, it's probably best not to use 1 day ;).
cloud-white:wibblesplat tom.oconnor$ openssl x509 -req -days 900 -in wibblesplat.csr -out wibblesplat.crt -signkey wibblesplat.unprotected.key
subject=/C=GB/ST=England/L=London/O=Wibblesplat Ltd/OU=R&D Department/CN=*.wibblesplat.com
Getting Private key
Now we've got the Certificate (.crt), the Key (.key), the unpassphrased key (.unprotected.key), and the Certificate Signing Request (.csr)
cloud-white:wibblesplat tom.oconnor$ ls
Let's jump back to the main theme of this evening's symposium.
Now we've got a generated certificate, we can continue with profile generation.
We were here.
Navigate to wherever you left those SSL certificate files, and select the .crt
When you click "Open", the right hand side of the credentials pane will display the signed certificate.
Now we can configure the Wifi settings to use that certificate.
Scroll back up through the Profile settings, up to "Wi-Fi".
Hit "Configure", and the right hand pane changes to another profile builder screen.
Enter the SSID of your Wi-Fi, and select Security Type "WPA / WPA2 Enterprise"
Scroll down the Right hand side down to "Enterprise Settings" and click some boxes.
Click the "Trust" tab, and select the Certificate that we added to the Stored Credentials.
Under "Trusted Server Certificate Names", hit the [+] button, and add whatever matches the CN of your certificate. In this case, it's "*.wibblesplat.com".
Along the top button bar, hit "Export", and you get the Export Dialog:
For "Security" ensure "None" is selected, then hit "Export..."
Save the file with the .mobileconfig extension
Right. That's the OSX bit done.
The next thing I did, was to jump back over to my Ubuntu desktop, and fire up Meld.
In case you've never used it, Meld is a great, interactive, diff tool. It supports 2 and 3 way diffs, and you can shuffle bits of code between the two panes of it easily.
We're going to open someone else's mobileconfig file, and sanity check our own.
It's an interesting read, and the link to the .mobileconfig file is at the bottom of his blogpost, also here.
Open up Meld (you might need to apt-get install meld).
Create a New Diff, and select the file you downloaded from iphoting as the Original, and your generated mobileconfig file as the "Mine".
Now all you need to do is Sanity Check them. Make sure that, side by side, the files look *similar*. Of course, they can't be identical, but you want some idea that the keys and values are in the same order (this is *important*), and that yours has got most of the same information as the master.
If you wish to use 802.1X to authenticate to Radius for logins, then you'll need to configure a "Login Window" profile.
This means you need to add a "macloginwindow" user account to your LDAP (or whatever your Radius server looks up against), and then configure the username and password for that in this file.
To do that, edit the .mobileconfig file in a decent text editor, and add the lines
Those lines need to go *just* after the block:
Which will define that you're doing System settings, and Login Window settings.
If you don't want to do Login Window stuff (but frankly, why wouldn't you), then you can safely remove the LoginWindow key.
Somewhere near the bottom of the file, there's a Key marked "PayloadType", with Value "Configuration".
One line above that, insert the two lines:
That should be it for manual changes. As soon as I figure out how to do those from the OSX iPhone configurator, I'll update this. I suspect that because LoginWindow isn't actually an iPhone option, but more pertains to OSX on non-mobile devices, that it's not actually covered as a Thing in the Configurator.
Once you're pretty happy, you can get on with the next step. On Lion, you can load the files with the omnipotent "open" command from Terminal. We used HTTP to distribute the files, but you could equally just scp them across to your Lion clients.
You need to do the profile load as an Admin User, so in Terminal, do something like:
su - adminuser open wibblesplat.mobileconfig
Some box might appear asking if you want to apply the settings, say yes.
You've come this far, it'd be foolish to say no.
Then all you've gotta do is reboot.
Technically, you might not need to, but at least rebooting should clear any saved session state, and you'll get a more representative idea of what ought to happen.
Done. Congratulations. You've just baked in configuration details for WPA2 Enterprise and 802.1x