April 17, 2018 Device Based Internet Access
There are several ways to access an enterprise wireless network. You might use 802.1X with PEAP or some other form of the Extensible Authentication Protocol (EAP). For device based internet, EAP-TLS is the authentication protocol used to connect to the wireless network. EAP-TLS uses Simple Certificate Enrollment Protocol (SCEP) and Network Device Enrollment Service (NDES) to generate a device based certificate to connect to the wireless network.
We wanted to provide another way to authenticate to the wireless network on university campus. The current method, PEAP-MSCHAPv2 authentication uses username and password with little server side certificate validation. It also has the potential to be hit with a Man-in-the-Middle capture of the MSCHAPv2 hash. The Man-in-the-Middle attack spoofs the target network and provide a better signal to the client than the legitimate access point. The attacker has to be near the target access point or in a place that is frequented by devices that authenticate to the network. When the device connects to the attackers access point, the attacker can sniff for username and password or other sensitive data related to the user.
With potential attack avenues of PEAP-MSCHAPv2, our network team wanted to switch everything to EAP-TLS. We needed a solution for connecting to EAP-TLS as our shared laptops are currently using 801.11 with PEAP-MSCHAPv2 each time that a user logs in. Logins can take awhile as the access points could be slower from all the users connecting. EAP-TLS has a similar feature where a specific user connects to the network using their certificate. The certificate is produced by authenticating and configuring the new device with their wireless profile. User-Based EAP-TLS would increase login times, access point authentication slowness and reduce the user experience for the patron. With Device-Based EAP-TLS the computer is already connected to the networking with a certificate created for that device. Without the computer having to reconnect to the network each time a new person logins we can deduce login times, provide secure authentication and reliable internet access to the patron. We understand requiring user based authentication vs device based would gather the username in case they do something bad during the laptop checkout, but we require login on the system with username/password and our checkout system will also have that information.
Before we get started with how to setup the service, lets go over some definitions that will come in handy.
- SCEP – Simple Certificate Enrollment Protocol
- Protocol designed in issuing and revoking certificates.
- NDES – Network Device Enrollment Service
- Allows network devices running without domain credentials to obtain certificates.
- EAP-TLS – Extensible Authentication Protocol Transport Layer Security
- A cryptographic protocol that provide communications security over a computer network.
- CA – Certificate Authority
- An entity that issues digital certificates.
- MDM – Mobile Device Management
- A way to administer mobile devices and computers.
Here is an overview of how device based Internet access using NDES and SCEP is configured for the device.
Lets go through the process one step at a time. Since the configuration is institution specific, I’m going to use Xavier’s Institute for Gifted Youngsters for the school. Lets say that Deadpool wants to borrow a shared laptop from the school and connect to the network.
Before Deadpool can checkout the laptop we need to do some configuration using your choice of MDM. Xavier’s Institute for Gifted Youngsters has a Jamf Pro 10 environment that we will be using to demonstrate how to configured it.
Step One – Enroll to the Jamf Pro Server
There are several different ways that you can enroll a device. Enroll by using the QuickAdd Package, Invitation code or the Jamf Pro Enrollment website. To automate the process of enrolling computers, we used an invitation code on the laptops.
Step Two – Configuration Profiles
The laptops need 3 different configuration settings for the wireless setup to work. The MDM Profile is the first one, it controls what can be pushed to the computer. This is placed on the device by default by Jamf Pro. Network and SCEP Profiles are custom profiles that are configured using Jamf Pro. The Network profile holds all the configuration details that you need to connect to the wireless. The SCEP profile allows the laptop to authenticate to the NDES Server using a certificate.
In Jamf Pro, we are going to start by configuring the SCEP portion of the Configuration Profile. I will go into each part of the profile below.
In URL, enter the address to the NDES Server.
In Name, enter the name of the NDES server. This is the domain name without the special characters in it.
In Subject Alternative Name Value put in the email for the service.
There are a few options in Challenge Type: the options are Static, Dynamic, and Dynamic – Microsoft CA. Static is the least secure as the password can be shared without knowledge. The dynamic option is more secure as it is using a CA that is being deployed from the Jamf Pro Server. Depending on the NDES server pick the option that works for you.
With the different options of challenge type, there will be different sub-options available. The following is for the Dynamic – Microsoft CA option.
URL to SCEP Admin is the same URL that you put into URL with a little change. Switch out “mscep/mscep.dll” for “mscep_admin/”. This is the same URL that is connected too when establishing the NDES Server.
Enter in the username and password to access the server.
We have finished configuring the SCEP settings. Save the policy before configuring the network settings.
The next part of the Configuration Profile is the network section. I will go into each part of the profile below.
The network profile holds all the information for the network that you are trying to connect to. At the Xavier School the students need to connect to a wireless network called XConnect.
Enter the Service Set Identifier (SSID) in for the network to be connected to.
Select TLS for the authentication protocol. TLS is much stronger then PEAP and it isn’t as easy to man-in-the-middle attack the device trying to connect.
That is all the settings that need to be set for the network. Save the policy before continuing to the final part.
The final part of the configuration is adding the entire certificate chain. You will need certificates from each server in the wireless configuration process. In our configuration we had to use six different certificates. We had to include a UserTrust, InCommon, NDES Server, Subdomain, Subdomain2, and the Root CA. Gathering and installing all of the certificates can take some time. If you are having problems, switch to a static challenge until all your certificates look right in the profile and you can connect to the network.
Apply the Configuration Profile
The configuration profile is now ready to be deployed to the computers. The process is almost instantaneous once the configuration profile is applied to the computer. Jamf Pro and the NDES Server will do everything else.
Step Three – Send Dynamic challenge to NDES
Jamf Pro sends the certificate that was included in the configuration profile along with a dynamic challenge to the NDES Server.
Step Four – Receive Certificate
Upon successful completion of the dynamic challenge, the NDES Server sends back a certificate specifically for the computer that wants to connect to the Internet.
Step Five – Install Certificate
Jamf Pro installs the certificate on the computer that was recently enrolled.
Step Six – Send Certificate and SCEP Profile
The computer sends the certificate with the SCEP Profile to the NDES server.
Step Seven – Device-Based Certificate
The NDES server sends the device-based certificate and key to the computer.
Step Eight – Connect to the Internet
The computer sends the device-based certificate to the access point to gain access to the internet.
Step Nine – Internet
The computer receives device-based Internet access. Deadpool can access the internet without having to wait for the computer to authenticate.