EAP-TLS Authentication on macOS

Steps to configure EAP-TLS Authentication on macOS

Refer to Setup NPS with EAP-TLS for Aruba WIFI to prepare the NPS + EAP-TLS Authentication infrastructure

The following Components are required for macOS for EAP-TLS Authentication

1. User account in Active Directory (AD)
2. Internal CA Root Certificate
3. User Certificate

Create a new User called eaptls in AD

Export CA Root Certificate to C:\temp\CARoot.cer

Get-ChildItem -Path Cert:\LocalMachine\CA | ? Subject -like "CN=AventisLab*" | Export-Certificate -FilePath C:\Temp\CARoot.cer 

Generating User Certificate from CA Server

Enable HTTPS for the Default Web Site in CA Server

Right click on Default Web Site – Edit Bindings and add https with SSL Certificate

Open Internet Explorer and login to https://AVENTIS-AD01.LAB.AVENTISLAB.COM/CERTSRV with lab\eaptle

Only Internet Explorer can be used to generate User Certificate.

Click Request a Certificate

Click User Certificate

Click Yes for confirmation and click More Options to continue

Click Use the Advanced Certificate Request Form

Select User_Auto_Enrollment and Enter the Friendly Name = EAPTLS

You can follow the link Auto Enroll Certificates with Group Policy to create the User_Auto_Enrollment Certificate Template

Enter the Friendly Name exactly with Username

Click Install this certificate to import it to Certificate – Current User – Personal – Certificate

Export the User Certificate as PFX with private key to C:\Temp\EAPTLS.pfx

$Password = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force

Get-ChildItem -Path Cert:\CurrentUser\My | ? Subject -like "CN=EAP*" | Export-PfxCertificate -FilePath C:\Temp\EAPTLS.pfx -Password $Password

Download and install Fenix Web Server

Setup a Simple Web Server with customize Port and Root Directory pointing to C:\Fenix.

Ensure that File Browsing is enabled

Copy C:\temp\CARoot.cer & C:\temp\EAPTLS.pfx to C:\Fenix

Go to http://IP_ADDRESS:8002 to verify the files are available for download as below

Go to http://192.168.1.232:8002 to download the SSL Certificate

Download CARoot.cer & EAPTLS.pfx and import it to System

Open Keychain Access to verify SSL Certificates are imported successfully

Remove the WIFI Profile if macOS was connected previously with other Authentication method

Connect to the SSID with EAP-TLS configured with the following information

• Mode = EAP-TLS
• Identify = EAP-TLS
• Username = AD Username

macOS is connected with EAP-TLS Successfully

Login to Aruba AP via SSH to verify that macOS is connected with eaptls (AD Username) via EAP-TLS successfully

IAP315# show client

Client List
-----------
Name    IP Address     MAC Address        OS    ESSID  Access Point  Channel  Type  Role  IPv6 Address               Signal    Speed (mbps)
----    ----------     -----------        --    -----  ------------  -------  ----  ----  ------------               ------    ------------
eaptls  192.168.1.137  70:56:81:c2:96:9f  NOFP  LAB    IAP315        6        GN    LAB   fe80::1cbf:16d2:1b7c:88bb  34(good)  104(good)
Number of Clients   :1
Info timestamp      :1348911

Follow the steps below to remove the WIFI Profile if macOS is connected to the SSID with other authentication, like PEAP previously

Open Network, and click on Advanced

Highlight and remove the SSID Profile