Automating Enterprise Wireless Deployments

Automating Enterprise Wireless
Deployments
Macsysadmin 2013
Zack Smith
@acidprime
Thursday, September 19, 13

Thanks to:
Andrew Seago
@andrewseago
Arek Sokol
@macbrained
Matt Johnson
@macitmatt
Jason Bush
@jhbush1973
(Some other people at Apple)

Why wireless security?

Wireless standards
•WEP (Why bother)
•WPA/WPA2 (Personal)
•WPA/WPA2 (Enterprise)

Manual Entry Sucks

networksetup differences
# Leopard Code
if osVersion['minor'] == LEOP:
leopardRemoveWireless(network)
# Snow Leopard Code
if osVersion['minor'] == SNOW:
snowLeopardRemoveWireless(network)
# Lion code
if osVersion['minor'] == LION:
lionRemoveWireless(network)
# Mountain Lion Code
if osVersion['minor'] == MLION:
lionRemoveWireless(network)

Remove or Add Networks
wiﬁutil --plist="settings.plist"

Passwords are a problem not a solution

Three A’s
•Authentication
•Authorization
•Auditing

Usernames and Passwords

WPA2 Example
wiﬁutil --username=zsmith --password='d0gc4t' --plist=settings.plist

10.5 / 10.6 Plist Manipulation
/Library/Preferences/SystemConﬁguration/com.apple.airport.preferences.plist
plist['KnownNetworks'][guid]['SSID_STR'] = networkDict['ssid']
plist['KnownNetworks'][guid]['SecurityType'] = networkDict['sect']

10.7 + Proﬁles

if networkDict['type'] == 'WPA2 Enterprise':
# Generate the profile
exportLionProfile = genLionProfile(networkDict)
arguments = [
profiles,
"-I",
"-v",
"-f",
'-F',
exportLionProfile
]
profilesExecute(arguments)
# Removing the temp profile
os.remove(exportLionProfile)

Demo: Self Service Portal

Demo: PasswordUtility

Issues with User authentication

•Password rotation

•Help Desk password changes

•Help Desk password changes
•Mass password changes

Using Machine Password
dsconfigad -passinterval 0

Auto Enrollment

Certiﬁcite Authority Web
Enrollment

Windows Integrated
Authentication
• SPNEGO
• Kerberos
• curl --negotiate

SPNEGO Negotiation
•reverse DNS
•time
•Able to contact KDC
curl win-7po3b92m2fp.wallcity.org

ca.ad.com/certsrv

Certiﬁcate templates
• http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx

RADIUS Testing
• radtest user password rad.ad.com 0 sharedscret
• radtest -t mschap user password rad.ad.com 0 sharedscret

Access Certiﬁcate Templates
• Replicated via Active Directory
• Access control lists for Certiﬁcate
Templates ( different then RADIUS)

Machine vs User template
curl -d
"CertAttrib=CertiﬁcateTemplate:
User%20Certiﬁcate"
...

Submit a CSR
curl -d "CertRequest=
${ENCODED_CSR}"
...

Machine TGT
/usr/bin/kinit -k M-084737$

LDAP
TGTHTTP

LDAP
TGT HTTP

LDAP
TGT
curl
HTTP

Request ID
• "${CA_URL}/certnew.cer?ReqID=${REQ_ID}&Enc=b64"
• curl --negotiate -u:
• reverse DNS required for Kerberos Service Ticket
• replication of Domain Contollers

LDAP
curl HTTP

userCertiﬁcate attribute
dscl localhost read /Search/Computers/M-938747$
userCertiﬁcate

Convert from DER to PEM
•openssl
•dscl
•xxd or just binascii in python

LDAP
dscl

LDAPdscl

security

LDAP

ADCertiﬁcatePayloadPlugin
• Introduces on 10.7
• Supports Machine TGT style authentication
• Limited scope of OS Support deprecated in favor of DCE/RPC

DCE/RPC
Distributed Computing Environment / Remote Procedure Call

To Do
•wifiutil --autoenroll curl
•wifiutil --autoenroll profile

Common Issues
• Machine joins with same Mac Address (join existing account)
• Certiﬁcate Expiration (set by template)
• eapolclient needs keychain ACL set in older operating systems
• security -k not honored in 10.7 or 10.8 ( Keys exportable )

Debugging
/System/Library/C/S/airport debug +AllUserland
LogLevel in com.apple.eap.proﬁles.plist
/var/log/eapolclient
http://pastie.org/pastes/265251

Open Source Solutions
• openssl command line ( or I guess the Certiﬁcate Assistant)
• IPA - (389 Directory Server, MIT Kerberos, NTP, DNS,
Dogtag certiﬁcate system, SSSD and others.)
• http://www.freeipa.org

Puppet as a Certiﬁcate Authority
• puppet agent -t (submits the certiﬁcate signing request)
•puppet cert --sign agent.puppetlabs.com
•puppet cert --generate ipad.puppetlabs.com

StrongSWAN

Network Device Enrollment

WirelessConﬁg
http://tinyurl.com/bananas13

Automating Enterprise Wireless Deployments

More Related Content

Similar to Automating Enterprise Wireless Deployments (20)

Recently uploaded (20)

Automating Enterprise Wireless Deployments