Automating Enterprise Wireless Deployments

836 views

Published on

Wireless security has been a hot topic over the last few years. Balancing security with deployment concerns can cause some sites to be less secure then they should be.
This session will cover the deployment of wireless security in large organizations and automation techniques to deploy 802.1x authentication with Mac OS X .
Focus on Active Directory and Microsoft's IIS certificate portal as well as Open Source alternatives will be covered.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
836
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Automating Enterprise Wireless Deployments

  1. 1. Automating Enterprise Wireless Deployments Macsysadmin 2013 Zack Smith @acidprime Thursday, September 19, 13
  2. 2. Thanks to: Andrew Seago @andrewseago Arek Sokol @macbrained Matt Johnson @macitmatt Jason Bush @jhbush1973 (Some other people at Apple) Thursday, September 19, 13
  3. 3. Why wireless security? Thursday, September 19, 13
  4. 4. Why wireless security? Thursday, September 19, 13
  5. 5. Wireless standards •WEP (Why bother) •WPA/WPA2 (Personal) •WPA/WPA2 (Enterprise) Thursday, September 19, 13
  6. 6. Manual Entry Sucks Thursday, September 19, 13
  7. 7. networksetup differences # Leopard Code if osVersion['minor'] == LEOP: leopardRemoveWireless(network) # Snow Leopard Code if osVersion['minor'] == SNOW: snowLeopardRemoveWireless(network) # Lion code if osVersion['minor'] == LION: lionRemoveWireless(network) # Mountain Lion Code if osVersion['minor'] == MLION: lionRemoveWireless(network) Thursday, September 19, 13
  8. 8. Remove or Add Networks wifiutil --plist="settings.plist" Thursday, September 19, 13
  9. 9. Remove or Add Networks wifiutil --plist="settings.plist" Thursday, September 19, 13
  10. 10. Remove or Add Networks wifiutil --plist="settings.plist" Thursday, September 19, 13
  11. 11. Passwords are a problem not a solution Thursday, September 19, 13
  12. 12. Passwords are a problem not a solution Thursday, September 19, 13
  13. 13. Three A’s •Authentication •Authorization •Auditing Thursday, September 19, 13
  14. 14. Usernames and Passwords Thursday, September 19, 13
  15. 15. WPA2 Example wifiutil --username=zsmith --password='d0gc4t' --plist=settings.plist Thursday, September 19, 13
  16. 16. 10.5 / 10.6 Plist Manipulation /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist plist['KnownNetworks'][guid]['SSID_STR'] = networkDict['ssid'] plist['KnownNetworks'][guid]['SecurityType'] = networkDict['sect'] Thursday, September 19, 13
  17. 17. 10.7 + Profiles Thursday, September 19, 13
  18. 18. if networkDict['type'] == 'WPA2 Enterprise': # Generate the profile exportLionProfile = genLionProfile(networkDict) arguments = [ profiles, "-I", "-v", "-f", '-F', exportLionProfile ] profilesExecute(arguments) # Removing the temp profile os.remove(exportLionProfile) Thursday, September 19, 13
  19. 19. Demo: Self Service Portal Thursday, September 19, 13
  20. 20. Demo: PasswordUtility Thursday, September 19, 13
  21. 21. Issues with User authentication Thursday, September 19, 13
  22. 22. Issues with User authentication •Password rotation Thursday, September 19, 13
  23. 23. Issues with User authentication •Password rotation •Help Desk password changes Thursday, September 19, 13
  24. 24. Issues with User authentication •Password rotation •Help Desk password changes •Mass password changes Thursday, September 19, 13
  25. 25. Using Machine Password dsconfigad -passinterval 0 Thursday, September 19, 13
  26. 26. Auto Enrollment Thursday, September 19, 13
  27. 27. Auto Enrollment Thursday, September 19, 13
  28. 28. Certificite Authority Web Enrollment Thursday, September 19, 13
  29. 29. Windows Integrated Authentication • SPNEGO • Kerberos • curl --negotiate Thursday, September 19, 13
  30. 30. Windows Integrated Authentication • SPNEGO • Kerberos • curl --negotiate Thursday, September 19, 13
  31. 31. SPNEGO Negotiation •reverse DNS •time •Able to contact KDC curl win-7po3b92m2fp.wallcity.org Thursday, September 19, 13
  32. 32. ca.ad.com/certsrv Thursday, September 19, 13
  33. 33. ca.ad.com/certsrv Thursday, September 19, 13
  34. 34. Certificate templates • http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx Thursday, September 19, 13
  35. 35. Certificate templates • http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx Thursday, September 19, 13
  36. 36. RADIUS Testing • radtest user password rad.ad.com 0 sharedscret • radtest -t mschap user password rad.ad.com 0 sharedscret Thursday, September 19, 13
  37. 37. Access Certificate Templates • Replicated via Active Directory • Access control lists for Certificate Templates ( different then RADIUS) Thursday, September 19, 13
  38. 38. Machine vs User template curl -d "CertAttrib=CertificateTemplate: User%20Certificate" ... Thursday, September 19, 13
  39. 39. Machine vs User template curl -d "CertAttrib=CertificateTemplate: User%20Certificate" ... Thursday, September 19, 13
  40. 40. Submit a CSR curl -d "CertRequest= ${ENCODED_CSR}" ... Thursday, September 19, 13
  41. 41. Submit a CSR curl -d "CertRequest= ${ENCODED_CSR}" ... Thursday, September 19, 13
  42. 42. Machine TGT /usr/bin/kinit -k M-084737$ Thursday, September 19, 13
  43. 43. LDAP TGTHTTP Thursday, September 19, 13
  44. 44. LDAP TGT HTTP Thursday, September 19, 13
  45. 45. LDAP TGT HTTP Thursday, September 19, 13
  46. 46. LDAP TGT curl HTTP Thursday, September 19, 13
  47. 47. LDAP TGT curl HTTP Thursday, September 19, 13
  48. 48. LDAP TGT curl HTTP Thursday, September 19, 13
  49. 49. LDAP TGT curl HTTP Thursday, September 19, 13
  50. 50. LDAP TGT curl HTTP Thursday, September 19, 13
  51. 51. LDAP TGT curl HTTP Thursday, September 19, 13
  52. 52. LDAP TGT curl HTTP Thursday, September 19, 13
  53. 53. Request ID • "${CA_URL}/certnew.cer?ReqID=${REQ_ID}&Enc=b64" • curl --negotiate -u: • reverse DNS required for Kerberos Service Ticket • replication of Domain Contollers Thursday, September 19, 13
  54. 54. LDAP curl HTTP Thursday, September 19, 13
  55. 55. LDAP curl HTTP Thursday, September 19, 13
  56. 56. LDAP curl HTTP Thursday, September 19, 13
  57. 57. LDAP curl HTTP Thursday, September 19, 13
  58. 58. LDAP curl HTTP Thursday, September 19, 13
  59. 59. userCertificate attribute dscl localhost read /Search/Computers/M-938747$ userCertificate Thursday, September 19, 13
  60. 60. Convert from DER to PEM •openssl •dscl •xxd or just binascii in python Thursday, September 19, 13
  61. 61. LDAP dscl Thursday, September 19, 13
  62. 62. LDAP dscl Thursday, September 19, 13
  63. 63. LDAPdscl Thursday, September 19, 13
  64. 64. LDAP dscl Thursday, September 19, 13
  65. 65. security Thursday, September 19, 13
  66. 66. LDAP Thursday, September 19, 13
  67. 67. LDAP Thursday, September 19, 13
  68. 68. LDAP Thursday, September 19, 13
  69. 69. LDAP Thursday, September 19, 13
  70. 70. LDAP Thursday, September 19, 13
  71. 71. LDAP Thursday, September 19, 13
  72. 72. LDAP Thursday, September 19, 13
  73. 73. ADCertificatePayloadPlugin • Introduces on 10.7 • Supports Machine TGT style authentication • Limited scope of OS Support deprecated in favor of DCE/RPC Thursday, September 19, 13
  74. 74. DCE/RPC Distributed Computing Environment / Remote Procedure Call Thursday, September 19, 13
  75. 75. To Do •wifiutil --autoenroll curl •wifiutil --autoenroll profile Thursday, September 19, 13
  76. 76. Common Issues • Machine joins with same Mac Address (join existing account) • Certificate Expiration (set by template) • eapolclient needs keychain ACL set in older operating systems • security -k not honored in 10.7 or 10.8 ( Keys exportable ) Thursday, September 19, 13
  77. 77. Debugging /System/Library/C/S/airport debug +AllUserland LogLevel in com.apple.eap.profiles.plist /var/log/eapolclient http://pastie.org/pastes/265251 Thursday, September 19, 13
  78. 78. Open Source Solutions • openssl command line ( or I guess the Certificate Assistant) • IPA - (389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag certificate system, SSSD and others.) • http://www.freeipa.org Thursday, September 19, 13
  79. 79. Puppet as a Certificate Authority • puppet agent -t (submits the certificate signing request) •puppet cert --sign agent.puppetlabs.com •puppet cert --generate ipad.puppetlabs.com Thursday, September 19, 13
  80. 80. StrongSWAN Thursday, September 19, 13
  81. 81. Network Device Enrollment Thursday, September 19, 13
  82. 82. Thursday, September 19, 13
  83. 83. Thursday, September 19, 13
  84. 84. WirelessConfig http://tinyurl.com/bananas13 Thursday, September 19, 13

×