Security

 View Only
  • 1.  MacOS EAP-TLS Username

    Posted Jan 29, 2019 12:58 PM
      |   view attached

    I am trying to connect my Macbooks to a new SSID using only EAP-TLS.

     

    I have pushed out an 802.1x profile that details use of EAP-TLS. I have also pushed machine certificates from our ADCS.

     

    Everytime I try to connect to the SSID using EAP-TLS it asks what authentication method I would like to use. I select EAP-TLS, the identity certificate, and leave the username blank.

     

    If I leave the username blank, it uses the name of the certificate, which is the correct username. However, if I put in a username it will authorize using that username against that username's AD groups. Is there a way to force the username to always be part of the certificate and not allow users to put in a random username?



  • 2.  RE: MacOS EAP-TLS Username

    Posted Jan 29, 2019 01:49 PM
    The EAP identity is different than the certificate contents. Many OS will automatically populates the username from the UPN or RFC 822 name in the cert, but macOS often doesn't.

    In your EMM platform where the network and cert config exists, you can generally use a variable to populate the username in the profile.


  • 3.  RE: MacOS EAP-TLS Username

    Posted Jan 30, 2019 05:17 AM

    If you want to prevent users from messing with the identity, you should during role-mapping or enforcement check if the EAP Identity (IETF:User-Name) matches the value in the presented certificate. On a none-match, you could reject access or return restricted access during the enforcement.