Secure access to Wifi or Ethernet networks is a goal of any security conscious IT infrastructure team, however diversity of platforms makes this goal very hard to achieve, especially when organizations are looking to standardize but have diverse client platforms.
In a Windows world, capabilities such as Active Directory Certificate Services, Group Policies, the Network Policy Service and Windows clients make this goal relatively simple. The popularity of Mac Workstations has forced many organizations to face this challenge.
The good news is that Centrify has worked very hard to make sure that IT Infrastructure folks can leverage their existing Windows infrastructure to solve this challenge on the macs.
The challenge for any technical lead is that the expertise required just to meet the prerequisites is going to be scattered all over the organization; this means that it's time to flex the ability to coordinate and get people to work together. Hopefully this post provides a lot of clarity.
How easy is it to implement?
It is as easy as enabling one of the Centrify-provided GPOs for Mac OS X. Specifically the "Computer Configuration > Policies > Centrify Settings > Mac OS X Settings > 802.1x Settings" and you can pick your flavor:
- Enable Machine Ethernet Profile
- Enable Machine Wi-Fi Profile
- Enable User Ethernet Profile
- Enable User Wi-Fi Profile
However, this entry would not be useful if I just show you that you can enable the GPO, perform a policy refresh and just like magic: network access.
What I've noticed from prospects or customers that are looking to test these capabilities is that they don't understand all the moving pieces that need to be in place in order for this to work.
In this post we'll use a checklist to make sure that you understand what needs to be in place to be successful.
Note: If you already have 802.1x EAP-TLS running with your Windows infrastructure today, you are very well-positioned for success.
Pre-Requisites
- About adcert
- Certificate Auto-enrollment on Mac OS
- Lab Setup: Microsoft Test Lab Guide (read on the PKI parts)
Building Blocks
Active Directory and Windows Services: There are several ways to accomplish this goal, but in this particular instance, because our goal is to consolidate processes, knowledge and infrastructure, we are leveraging Windows capabilities like Active Directory, AD Certificate Services and the Network Policy Service. AD Groups will be key to provide access controls; OUs will determine the scope of GPOs to be used.
Public Key Infrastructure: PKI is needed to provide the encryption, non-repudiation and authentication between the back-end infrastructure (Active Directory) and the client (Ethernet or Wifi). The key here is the certificate life-cycle management, this is where Windows PKI uses Group Policy.
PKI Disclaimer: PKI is not joke. Any proper implementation needs to provide the assurances that PKI is aligned with your security policy. If your organization does not have a policy for PKI (general assurances, handling of private keys, policies, templates, Root and SubCAs) consult an expert.
PKI Disclaimer: PKI is not joke. Any proper implementation needs to provide the assurances that PKI is aligned with your security policy. If your organization does not have a policy for PKI (general assurances, handling of private keys, policies, templates, Root and SubCAs) consult an expert.
A Policy/Configuration Management Engine: Group Policy provides the rules and the enforcement for configuration items and even provides certificate auto-enrollment - a way to manage the certificate lifecycle (issuance, renewal, revocation, etc); in addition, GPOs will be the way that Centrify will provide the Apple profile information.
Network Policy Service: The NPS service on Windows provides the services like Remote Authentication Dial-in User Service (RADIUS) and the policy rules to enable 802.1x. The NPS Service interacts with Active Directory to leverage groups and attributes.
802.1x-Capable Network Devices: Any modern switch or access point supports 802.1x EAP and RADIUS.
Centrify Agent for Mac OS X: This use case showcases the power of the Centrify agent. Not only it leverages its ability to integrate with AD, but to use advanced services and perform this cohesively within the MacOS platform. Key capabilities: Certificate Auto-Enrollment, System Profiles, GPO Engine.
The Lab
- For AD and PKI: Modified Microsoft Test Lab Guide: Provides the corp.contoso.com domain with a running Microsoft CA. The RootCA (corp-DC1-CA) certificates are deployed using GPOs.
Translation: A common Certificate Authorithy with the proper Certificate Revocation publication methods needs to be provisioned. I did not set APP1 as a SubCA. - For RADIUS and Policies: I'm piggybacking on my APP2 Windows 2012 server
- Network Devices: I'm using Cisco small business (300 series) switch and a TPLink (TL-WA90x) Wireless Access Point.
- Mac Client: Old Macbook running 10.7 and Centrify 5.2.1
Basic Checklist
No comments:
Post a Comment