[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Certificate requests for Macs to get on wireless

Posted on 2014-02-12
11
Medium Priority
?
461 Views
Last Modified: 2014-03-19
Greetings,

I have an existing (Really simple) CA in my environment that I use to get my Windows laptops that are domain members on to our Enterprise WLAN.  

It is secured using RADIUS/ 802.1x - using computer authentication ONLY.

This way, users do not have to type their username and PW to get on the wireless - they only need to have a computer that is on our domain, and a member of a security group that ties them to a GPO that handles the cert. request, as well as connecting to the network.

Everything works great - however, now we want to add a few Mac devices to this setup.  I am able to add them to our AD domain, however I do not know how to get them enrolled for a cert, and since I cannot use group policy on a mac without Centrify I need to handle the cert request manually for the Macs, and setup the WLAN connection profile manually as well.  This is where my knowledge on the topic ends.

So, my question is:  How do I get my mac computes a computer cert. that will allow them to authenticate?
0
Comment
Question by:cschmidt5
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
11 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39855298
Why not use centrify to join instead of the pita osx join?
0
 
LVL 2

Expert Comment

by:CubeOver
ID: 39858093
From a brief look it seems like Centrify is able to support PKI group policy on Macs, but it may require deployment of some additional Certificate Services roles.
Have a look at their documentation or file a support case.
Maybe a Centrify expert replies with more detailed instructions.
0
 

Author Comment

by:cschmidt5
ID: 39858845
Hey guys; I was leaning towards centrify myself... however, they make you buy a minimum of 10 licenses, and I only need 2.

If Centrify is the only way to do it then I might have to reconsider; however I know that a manual certificate request can be made etc, I just can't find a clear guide for my scenario.

THanks for the response, any other ideas perhaps?
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:cschmidt5
ID: 39858852
I would also like to note that I have been talking to a sales engineer from Centrify - I have quotes and everything - just looking for an "Open Source" way; or other way using the apps included with OS X -

Centrify wants $2000 for their 10 Lic. pack - which isn't bad if I had 10 Macs or 'NIX hosts.....

spending that much for 2 computers, with a small likelyhood of getting more like them is hard to swallow.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39875320
0
 

Author Comment

by:cschmidt5
ID: 39876684
Brilliant.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 39877991
Make sure you Unjoin using osx first
0
 

Author Comment

by:cschmidt5
ID: 39882446
Heres the deal; I tried the free centrify, it worked well as far as joining the domain is concerned; however the only functionality I gain is seeing the computers, status, groups, users, etc.  on my test mac host.  There doesn't seem to be any way to apply group policy objects...

I am afraid my lack of experience working with a CA is getting in the way as well.  It still seems I have to create a machine certificate requests manually for OS X, regardless of Centrify.  I found what looks like a good guide in doing this, however it involves making mods to our CA, that I am not sure are necessary, nor am I comfortable doing.

- I am sure a guru out there is laughing at how simple my request really is.  I have a feeling it is as simple as creating the cert req. in the terminal, submitting it to my CA etc....  however there seem to be million ways to do it wrong.  


Again, Server/Machine certs only, no username or PW required for users, just a machine on our domain in a special security group.

See
0
 

Author Comment

by:cschmidt5
ID: 39882768
0
 

Accepted Solution

by:
cschmidt5 earned 0 total points
ID: 39929547
Apple has a guide for this scenario - It's searchable on google.

Basically we need to install web enrollment on our CA

Then getting the cert is a snap.

Thanks for the replies.
0
 

Author Closing Comment

by:cschmidt5
ID: 39939088
I accepted my own answer because I came up with the most accurate and applicable solution for my environment based on my own research.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question