On Oct 20, 2011, at 11:33 AM, Steve Bohrer wrote:
>> OS X requires that the cert be manually trusted for EAP (even if it's signed
>> by a trusted root authority)
>
> your post makes it seem as if it is by design. Do you know why Macs won't
> automagically trust even official paid-for certs for EAP?
I don't know for certain, but here's a story I tell myself that makes sense to
me. ;-)
With websites, the CN of the certificate must match the DNS name of the site
you're visiting. This serves as a built-in check to detect man-in-the-middle
attacks.
With dot1x, there's no identifying information to confirm the cert against.
While MITM isn't likely in this scenario, you still don't want to be in a
situation where you're sending your login credentials to some random server
somewhere just because they happened to send an EAP-Start packet. So the Mac
requires you to trust the cert *for EAP* before it just blithely sends your
passwords down the wire.
Of course, most users will happily check any confirmation boxes and type in any
passwords they can think of if it means they'll get to Facebook, but at least
the OS is trying...
>> (we have a script that adds and trusts the cert that our users run).
>
> Can you share your setup script? How do you deploy it?
During registration we require all students to connect to our fileserver with
their networked accounts. This forces them to know (or change) their password,
and then gets them access to our software folder. In there we have a little
shell script that they double-click which installs our dot1x cert and sets the
appropriate EAP trust settings (users are prompted for their local admin
password). We considered making it a full-blown installer, but this is easier
to debug when you've got hundreds of kids doing it all at the same time.
The magic command is in the middle of the script "security add-trusted-cert
...". The "-p eap" is what marks the cert to be trusted for EAP authentication.
Here's the whole script (give it a ".command" extension and Mac users can just
double-click to run):
---------------------- snip -----------------------
#!/bin/bash
clear
cat <<EOF
This program installs a security certificate on your computer, which allows
you to connect to our network.
When prompted, please enter the administrator's password for this
laptop (the one you picked when you first set up your computer).
The password will NOT show up on the screen as you type it. Type it in
and hit return when you are done.
EOF
CERT=`mktemp -t CertInstall` || exit 1
# Paste your PEM-encoded cert below
cat <<EOF > "$CERT"
-----BEGIN CERTIFICATE-----
YADAYADAYADAYADAYADAYADAYADAYADAYADAYADAYADAYADAYADAYADAYADAYADA
... excess base64 encoding omitted ...
YADAYADAYADAYADAYADAYADAYADAYADAYADAYADAYADAYADAYADAYADAYADAYADA
-----END CERTIFICATE-----
EOF
sudo /usr/bin/security add-trusted-cert -d -r trustRoot -p eap \
-k "/Library/Keychains/System.keychain" "$CERT"
if [ $? -eq 0 ]; then
cat <<EOF
Certificates are installed. You may now close this window.
EOF
else
cat <<EOF
We were not able to install the certificates on this machine. Please
ask a member of the Technology Department for assistance.
EOF
fi
---------------------- snip -----------------------
Thanks,
Jason
--
Jason Healy | [email protected] | http://www.logn.net/
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
