@jdmhw6 wrote:
Is there a deployment guide or suggested best practice for configuring 2 factor wireless authentication for a single SSID for windows and macbooks? Currently the windows users and mac users authenticate with AD credentials. Though the mac's aren't joined to AD, the credentials are manually entered. With this setup, how would one go about adding a 2nd factor in case someone's credentials get compromised? We have an internal CA and I've been thinking about adding a machine cert to the windows pc's, but the mac's are kind of puzzling me.
My thinking was to have computers dropped in a limited role based on the authentication of the machine cert. Then moved to a production full access role following the successfully authentication with AD credentials (both authenticating against a radius server). But if the user never logs out, won't the machine authentication eventually expire?
You can do machine certificates fairly easily with Windows using certificate Autoenrollment and Group policy to authenticate computer-only or machine-only certificates in the WLAN setup.
With the mac it is a little more tricky. You need to create a "System Profile" and attach a generated TLS certificate to that using MAC OSX server ($50) profile manager. You can also hack it with the IPCU (iphone configuration utility) using the article here: http://www.revolutionwifi.net/2012/02/mac-os-x-lion-creating-wi-fi-8021x.html You can then layer on top of that user login on the mac by binding your mac to the domain and then under Settings> Users and Groups> Login Options > Display Login as Name and Password.
What will happen is that the mac will connect to the wireless before login with the generated certificate via the system profile... It will get an ip address, etc. It will show the username and password dialog and then show "Green" when it has connectivity to the domain. The user can then login using a valid username and password.
I hope that makes sense.