View
559
Download
6
Tags:
Embed Size (px)
DESCRIPTION
Wireless security has been a hot topic over the last few years. Balancing security with deployment concerns can cause some sites to be less secure then they should be. This session will cover the deployment of wireless security in large organizations and automation techniques to deploy 802.1x authentication with Mac OS X . Focus on Active Directory and Microsoft's IIS certificate portal as well as Open Source alternatives will be covered.
Citation preview
Automating Enterprise Wireless Deployments
Macsysadmin 2013
Zack Smith@acidprime
Thursday, September 19, 13
Thanks to:
Andrew Seago @andrewseago
Arek Sokol @macbrained
Matt Johnson@macitmatt
Jason Bush@jhbush1973
(Some other people at Apple)Thursday, September 19, 13
Why wireless security?
Thursday, September 19, 13
Why wireless security?
Thursday, September 19, 13
Wireless standards
•WEP (Why bother)
•WPA/WPA2 (Personal)
•WPA/WPA2 (Enterprise)
Thursday, September 19, 13
Manual Entry Sucks
Thursday, September 19, 13
networksetup differences # Leopard Code if osVersion['minor'] == LEOP: leopardRemoveWireless(network) # Snow Leopard Code if osVersion['minor'] == SNOW: snowLeopardRemoveWireless(network) # Lion code if osVersion['minor'] == LION: lionRemoveWireless(network) # Mountain Lion Code if osVersion['minor'] == MLION: lionRemoveWireless(network)
Thursday, September 19, 13
Remove or Add Networks wifiutil --plist="settings.plist"
Thursday, September 19, 13
Remove or Add Networks wifiutil --plist="settings.plist"
Thursday, September 19, 13
Remove or Add Networks wifiutil --plist="settings.plist"
Thursday, September 19, 13
Passwords are a problem not a solution
Thursday, September 19, 13
Passwords are a problem not a solution
Thursday, September 19, 13
Three A’s
•Authentication
•Authorization
•Auditing
Thursday, September 19, 13
Usernames and Passwords
Thursday, September 19, 13
WPA2 Example wifiutil --username=zsmith --password='d0gc4t' --plist=settings.plist
Thursday, September 19, 13
10.5 / 10.6 Plist Manipulation/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
plist['KnownNetworks'][guid]['SSID_STR'] = networkDict['ssid'] plist['KnownNetworks'][guid]['SecurityType'] = networkDict['sect']
Thursday, September 19, 13
10.7 + Profiles
Thursday, September 19, 13
if networkDict['type'] == 'WPA2 Enterprise': # Generate the profile exportLionProfile = genLionProfile(networkDict) arguments = [ profiles, "-I", "-v", "-f", '-F', exportLionProfile ] profilesExecute(arguments) # Removing the temp profile os.remove(exportLionProfile)
Thursday, September 19, 13
Demo: Self Service Portal
Thursday, September 19, 13
Demo: PasswordUtility
Thursday, September 19, 13
Issues with User authentication
Thursday, September 19, 13
Issues with User authentication
•Password rotation
Thursday, September 19, 13
Issues with User authentication
•Password rotation
•Help Desk password changes
Thursday, September 19, 13
Issues with User authentication
•Password rotation
•Help Desk password changes
•Mass password changes
Thursday, September 19, 13
Using Machine Password
dsconfigad -passinterval 0Thursday, September 19, 13
Auto Enrollment
Thursday, September 19, 13
Auto Enrollment
Thursday, September 19, 13
Certificite Authority Web Enrollment
Thursday, September 19, 13
Windows Integrated Authentication
• SPNEGO
• Kerberos
• curl --negotiate
Thursday, September 19, 13
Windows Integrated Authentication
• SPNEGO
• Kerberos
• curl --negotiate
Thursday, September 19, 13
SPNEGO Negotiation
•reverse DNS
•time
•Able to contact KDC
curl win-7po3b92m2fp.wallcity.org
Thursday, September 19, 13
ca.ad.com/certsrv
Thursday, September 19, 13
ca.ad.com/certsrv
Thursday, September 19, 13
Certificate templates
• http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx
Thursday, September 19, 13
Certificate templates
• http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx
Thursday, September 19, 13
RADIUS Testing
• radtest user password rad.ad.com 0 sharedscret
• radtest -t mschap user password rad.ad.com 0 sharedscret
Thursday, September 19, 13
Access Certificate Templates
• Replicated via Active Directory
• Access control lists for Certificate Templates ( different then RADIUS)
Thursday, September 19, 13
Machine vs User template
curl -d "CertAttrib=CertificateTemplate:User%20Certificate"...
Thursday, September 19, 13
Machine vs User template
curl -d "CertAttrib=CertificateTemplate:User%20Certificate"...
Thursday, September 19, 13
Submit a CSR
curl -d "CertRequest=${ENCODED_CSR}"...
Thursday, September 19, 13
Submit a CSR
curl -d "CertRequest=${ENCODED_CSR}"...
Thursday, September 19, 13
Machine TGT
/usr/bin/kinit -k M-084737$Thursday, September 19, 13
LDAP
TGTHTTP
Thursday, September 19, 13
LDAP
TGT HTTP
Thursday, September 19, 13
LDAP
TGT HTTP
Thursday, September 19, 13
LDAP
TGTcurl
HTTP
Thursday, September 19, 13
LDAP
TGT
curl
HTTP
Thursday, September 19, 13
LDAP
TGT
curl
HTTP
Thursday, September 19, 13
LDAP
TGT
curl
HTTP
Thursday, September 19, 13
LDAP
TGT
curlHTTP
Thursday, September 19, 13
LDAP
TGT
curlHTTP
Thursday, September 19, 13
LDAP
TGT
curlHTTP
Thursday, September 19, 13
Request ID
• "${CA_URL}/certnew.cer?ReqID=${REQ_ID}&Enc=b64"
• curl --negotiate -u:
• reverse DNS required for Kerberos Service Ticket
• replication of Domain Contollers
Thursday, September 19, 13
LDAP
curl HTTP
Thursday, September 19, 13
LDAP
curl HTTP
Thursday, September 19, 13
LDAP
curl HTTP
Thursday, September 19, 13
LDAP
curl HTTP
Thursday, September 19, 13
LDAP
curl HTTP
Thursday, September 19, 13
userCertificate attribute
dscl localhost read /Search/Computers/M-938747$ userCertificate
Thursday, September 19, 13
Convert from DER to PEM
•openssl
•dscl
•xxd or just binascii in python
Thursday, September 19, 13
LDAP
dscl
Thursday, September 19, 13
LDAP
dscl
Thursday, September 19, 13
LDAPdscl
Thursday, September 19, 13
LDAP
dscl
Thursday, September 19, 13
security
Thursday, September 19, 13
LDAP
Thursday, September 19, 13
LDAP
Thursday, September 19, 13
LDAP
Thursday, September 19, 13
LDAP
Thursday, September 19, 13
LDAP
Thursday, September 19, 13
LDAP
Thursday, September 19, 13
LDAP
Thursday, September 19, 13
ADCertificatePayloadPlugin
• Introduces on 10.7
• Supports Machine TGT style authentication
• Limited scope of OS Support deprecated in favor of DCE/RPC
Thursday, September 19, 13
DCE/RPC Distributed Computing Environment / Remote Procedure Call
Thursday, September 19, 13
To Do
•wifiutil --autoenroll curl
•wifiutil --autoenroll profile
Thursday, September 19, 13
Common Issues
• Machine joins with same Mac Address (join existing account)
• Certificate Expiration (set by template)
• eapolclient needs keychain ACL set in older operating systems
• security -k not honored in 10.7 or 10.8 ( Keys exportable )
Thursday, September 19, 13
Debugging
/System/Library/C/S/airport debug +AllUserland
LogLevel in com.apple.eap.profiles.plist
/var/log/eapolclient
http://pastie.org/pastes/265251
Thursday, September 19, 13
Open Source Solutions
• openssl command line ( or I guess the Certificate Assistant)
• IPA - (389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag certificate system, SSSD and others.)
• http://www.freeipa.org
Thursday, September 19, 13
Puppet as a Certificate Authority
• puppet agent -t (submits the certificate signing request)
•puppet cert --sign agent.puppetlabs.com
•puppet cert --generate ipad.puppetlabs.com
Thursday, September 19, 13
StrongSWAN
Thursday, September 19, 13
Network Device Enrollment
Thursday, September 19, 13
Thursday, September 19, 13
Thursday, September 19, 13
WirelessConfighttp://tinyurl.com/bananas13
Thursday, September 19, 13