EAP-TLS Authentication on macOS

  • by

Steps to configure EAP-TLS Authentication on macOS

Refer to Setup NPS with EAP-TLS for Aruba WIFI to prepare the NPS + EAP-TLS Authentication infrastructure

Preparation of User Certificate

The following Components are required for macOS for EAP-TLS Authentication

  1. User account in Active Directory (AD)
  2. Internal CA Root Certificate
  3. User Certificate

Create a new User called eaptls in AD

EAP-TLS Authentication on macOS

Export CA Root Certificate to C:\temp\CARoot.cer

Get-ChildItem -Path Cert:\LocalMachine\CA | ? Subject -like "CN=AventisLab*" | Export-Certificate -FilePath C:\Temp\CARoot.cer 

Generating User Certificate from CA Server

Enable HTTPS for the Default Web Site in CA Server

Right click on Default Web Site – Edit Bindings and add https with SSL Certificate

EAP-TLS Authentication on macOS

Open Internet Explorer and login to https://AVENTIS-AD01.LAB.AVENTISLAB.COM/CERTSRV with lab\eaptle

Only Internet Explorer can be used to generate User Certificate.

EAP-TLS Authentication on macOS

Click Request a Certificate

EAP-TLS Authentication on macOS

Click User Certificate

EAP-TLS Authentication on macOS

Click Yes for confirmation and click More Options to continue

EAP-TLS Authentication on macOS

Click Use the Advanced Certificate Request Form

EAP-TLS Authentication on macOS

Select User_Auto_Enrollment and Enter the Friendly Name = EAPTLS

You can follow the link Auto Enroll Certificates with Group Policy to create the User_Auto_Enrollment Certificate Template

Enter the Friendly Name exactly with Username

EAP-TLS Authentication on macOS

Click Install this certificate to import it to Certificate – Current User – Personal – Certificate

EAP-TLS Authentication on macOS

Export the User Certificate as PFX with private key to C:\Temp\EAPTLS.pfx

$Password = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force

Get-ChildItem -Path Cert:\CurrentUser\My | ? Subject -like "CN=EAP*" | Export-PfxCertificate -FilePath C:\Temp\EAPTLS.pfx -Password $Password

Prepare a Simple Web Server to distribute the Certificate

Download and install Fenix Web Server

Setup a Simple Web Server with customize Port and Root Directory pointing to C:\Fenix.

Ensure that File Browsing is enabled

EAP-TLS Authentication on macOS

Copy C:\temp\CARoot.cer & C:\temp\EAPTLS.pfx to C:\Fenix

Go to http://IP_ADDRESS:8002 to verify the files are available for download as below

EAP-TLS Authentication on macOS

Import Certificate for EAP-TLS Authentication on macOS

Go to http://192.168.1.232:8002 to download the SSL Certificate

EAP-TLS Authentication on macOS

Download CARoot.cer & EAPTLS.pfx and import it to System

EAP-TLS Authentication on macOS

Open Keychain Access to verify SSL Certificates are imported successfully

EAP-TLS Authentication on macOS

Remove the WIFI Profile if macOS was connected previously with other Authentication method

Connect to the SSID with EAP-TLS configured with the following information

  • Mode = EAP-TLS
  • Identify = EAP-TLS
  • Username = AD Username

EAP-TLS Authentication on macOS

macOS is connected with EAP-TLS Successfully

EAP-TLS Authentication on macOS

Login to Aruba AP via SSH to verify that macOS is connected with eaptls (AD Username) via EAP-TLS successfully

IAP315# show client

Client List
-----------
Name    IP Address     MAC Address        OS    ESSID  Access Point  Channel  Type  Role  IPv6 Address               Signal    Speed (mbps)
----    ----------     -----------        --    -----  ------------  -------  ----  ----  ------------               ------    ------------
eaptls  192.168.1.137  70:56:81:c2:96:9f  NOFP  LAB    IAP315        6        GN    LAB   fe80::1cbf:16d2:1b7c:88bb  34(good)  104(good)
Number of Clients   :1
Info timestamp      :1348911

Remove the WIFI Profile connected previously

Follow the steps below to remove the WIFI Profile if macOS is connected to the SSID with other authentication, like PEAP previously

Open Network, and click on Advanced

EAP-TLS Authentication on macOS

Highlight and remove the SSID Profile

EAP-TLS Authentication on macOS