Authentication Services Group Policy For Mac
Of course, there are other configuration steps that are required to set up a RADIUS server, such as configuring the RADIUS client and configuring a remote access policy, however, the important consideration for Mac 802.1X authentication is that the specified certificate and private key have been created and deployed to the domain. When a Mac computer joins a Windows domain, Access Manager automatically finds certificates on the Domain Controller and adds them as trusted certificates to Keychain Access on the Mac computer. To configure Mac OS X 10.7 or later to create an 802.1X ethernet profile 1 On a Windows computer, open the Group Policy Management Editor and edit a group policy object that applies to Mac computers. 2 Expand Computer Configuration Policies User Configuration Policies Centrify Settings Mac OS X Settings 802.1X Settings, and double-click Enable Ethernet Profile.
3 Select Enable, then click Add. 4 Type the name of the auto-enrollment machine certificate that has been pushed down from the Windows domain server. When pushed to a Mac computer, certificate names are prepended with auto; for example: authCentrify-1X This group policy runs a script that looks for the specified certificate template in the /var/centrify/net/certs directory (which contains the certificate templates pushed down to Mac when they join the domain) and creates a WiFi profile from this certificate. 5 Click OK to save the profile information and OK again to save the policy setting.
User Authentication Policy
To configure a certificate template to automatically enroll domain computers 1 On the Windows Certificate Authority server, open an mmc console that contains the Certification Authority and Certificates snap-ins ( Start Run mmc.exe). 2 If snap-ins for Certificate Templates, Certificates, and Certifications Authority are not displayed under Console Root in the navigation pane, add them now. To do so, click File Add/Remove Snap-in. A Select Certificate Templates and click Add. B Click Certificates and click Add. C Select Computer Account and click Next.
D Select Local computer and click Finish. E Select Certification Authority and click Add. F Select Local computer and click Finish.
G Click OK 3 Select Certificate Templates ( domainController ) in the navigation pane. 4 In Certificate Templates, duplicate the Workstation Authentication certificate. Right-click Workstation Authentication and select All Tasks Duplicate Template.
5 Perform the following steps in the Properties of New Template dialog: a In the General tab, type a template name of your choice (for example, Mac Auto-Enroll Certificates) in the Template name field (do not use special characters such as brackets and asterisks). Type the same name in the Template display name field so that the template displays by that name in the Certificate Templates list. B In the Extensions tab, select Application Policies Edit.
In the resulting dialog, select Add Server Authentication and click OK. C In the Extensions tab, verify the Client Authentication is already in the application policy list. If it is not, add it in the same way that you added the Server Authentication policy. D In the Subject Name tab, select Build from this Active Directory information. In the Subject name format field, select Fully distinguished name. In the Include this information in alternate subject name list, select User Principle Name (UPN). Expand Console Root Certification Authority domainController and select Certificate Templates.
You should see that the certificate template that you have configured for auto-enrollment is contained in the certification authority for the domain: If the new certificate template is not contained in the certification authority, add it now: a In the navigation pane, right-click Certification Templates under Console Root Certification Authority domainController. B Select New Certificate Template to Issue. C Scroll to the newly created template, select it, and click OK. 7 Enable the following group policy: ●On Windows 2008: Computer configuration Policies Windows Settings Security Settings Public Key Policies Certificate Services Client - Auto-Enrollment Settings. ●On Windows 2012: Computer configuration Policies Windows Settings Security Settings Public Key Policies Certificate Services Client - Auto-Enrollment Note To enable a group policy, open the Group Policy Management console by selecting Start Administrative Tools Group Policy Management.
In the Group Policy Management console navigation pane, expand Group Policy Management ForestName Domains DomainName Group Policy Objects. Right-click Default Domain Policy and select Edit.
In the resulting Group Policy Management Editor, navigate to the group policy described above and double-click the group policy. In the resulting dialog, select Enabled in the Configuration Model field. 8 On the Mac computer, download the certificates by executing the following commands in a terminal window: sudo adflush adgpupdate 9 Verify that the certificates were downloaded: a On the Mac computer, open Keychain Access and verify that the certificates are there. B On the Mac computer, verify that the certificates are in /var/centrify/net/certs.
C On the Windows Certificate Authority server, open the Certification Authority console ( Start Run certsrv.msc) and verify that the certificates are in the Issued Certificates folder. To configure a certificate template to automatically enroll domain users 1 On the Windows Certificate Authority server, open an mmc console that contains the Certification Authority and Certificates snap-ins ( Start Run mmc.exe). 2 Verify that the snap-ins described in are present under Console Root in the navigation pane. If they are not, add them now as described in. 3 Select Certificate Templates ( domainController ) in the navigation pane. 4 In Certificate Templates, duplicate the User certificate. Right-click User and select All Tasks Duplicate Template.
5 Perform the following steps in the Properties of New Template dialog: a In the General tab, type a template name in the Template name field. Type the same name in the Template display name field so that the template displays by that name in the Certificate Templates list. For Mac, you can specify a name of your choice (do not use special characters such as brackets and asterisks). For mobile devices, the template name must be User-ClientAuth. B In the Security tab, select Domain Users ( domainController ) and ensure that the template is enabled for Enroll and Autoenroll.
C Optionally, in the Subject Name tab, select Build from this Active Directory information. De-select the Include email in subject name and E-mail name check boxes. If you perform this step, Active Directory users do not need an email address. 6 Verify that the new template has been added to the certification authority as described in. If the new certificate template is not contained in the certification authority, add it now as described in. 7 Enable the following group policy: ●On Windows 2008: Computer configuration Windows Settings Security Settings Public Key Policies Certificate Services Client - Auto-Enrollment Settings.
●On Windows 2012: Computer configuration Windows Settings Security Settings Public Key Policies Certificate Services Client - Auto-Enrollment. Note See for details about how to enable the group policy.
8 On the Mac computer, download the certificates by executing the following commands in a terminal window. As the local Administrator: sudo adflush As an Active Directory user: adgpupdate 9 Verify that the certificates were downloaded: a On the Mac computer, open Keychain Access and verify that the certificates are in the Login keychain. B On the Mac computer, verify that the certificates are in /.centrify/: ls -l./centrify/.