YOU ARE DOWNLOADING DOCUMENT

Automating Enterprise Wireless Deployments

Category:

Technology

Automating Enterprise Wireless Deployments

Please tick the box to continue:

Transcript
Page 1: Automating Enterprise Wireless Deployments

Automating Enterprise Wireless Deployments

Macsysadmin 2013

Zack Smith@acidprime

Thursday, September 19, 13

Page 2: Automating Enterprise Wireless Deployments

Thanks to:

Andrew Seago @andrewseago

Arek Sokol @macbrained

Matt Johnson@macitmatt

Jason Bush@jhbush1973

(Some other people at Apple)Thursday, September 19, 13

Page 3: Automating Enterprise Wireless Deployments

Why wireless security?

Thursday, September 19, 13

Page 4: Automating Enterprise Wireless Deployments

Why wireless security?

Thursday, September 19, 13

Page 5: Automating Enterprise Wireless Deployments

Wireless standards

•WEP (Why bother)

•WPA/WPA2 (Personal)

•WPA/WPA2 (Enterprise)

Thursday, September 19, 13

Page 6: Automating Enterprise Wireless Deployments

Manual Entry Sucks

Thursday, September 19, 13

Page 7: Automating Enterprise Wireless Deployments

networksetup differences # Leopard Code if osVersion['minor'] == LEOP: leopardRemoveWireless(network) # Snow Leopard Code if osVersion['minor'] == SNOW: snowLeopardRemoveWireless(network) # Lion code if osVersion['minor'] == LION: lionRemoveWireless(network) # Mountain Lion Code if osVersion['minor'] == MLION: lionRemoveWireless(network)

Thursday, September 19, 13

Page 8: Automating Enterprise Wireless Deployments

Remove or Add Networks wifiutil --plist="settings.plist"

Thursday, September 19, 13

Page 9: Automating Enterprise Wireless Deployments

Remove or Add Networks wifiutil --plist="settings.plist"

Thursday, September 19, 13

Page 10: Automating Enterprise Wireless Deployments

Remove or Add Networks wifiutil --plist="settings.plist"

Thursday, September 19, 13

Page 11: Automating Enterprise Wireless Deployments

Passwords are a problem not a solution

Thursday, September 19, 13

Page 12: Automating Enterprise Wireless Deployments

Passwords are a problem not a solution

Thursday, September 19, 13

Page 13: Automating Enterprise Wireless Deployments

Three A’s

•Authentication

•Authorization

•Auditing

Thursday, September 19, 13

Page 14: Automating Enterprise Wireless Deployments

Usernames and Passwords

Thursday, September 19, 13

Page 15: Automating Enterprise Wireless Deployments

WPA2 Example wifiutil --username=zsmith --password='d0gc4t' --plist=settings.plist

Thursday, September 19, 13

Page 16: Automating Enterprise Wireless Deployments

10.5 / 10.6 Plist Manipulation/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist

plist['KnownNetworks'][guid]['SSID_STR'] = networkDict['ssid'] plist['KnownNetworks'][guid]['SecurityType'] = networkDict['sect']

Thursday, September 19, 13

Page 17: Automating Enterprise Wireless Deployments

10.7 + Profiles

Thursday, September 19, 13

Page 18: Automating Enterprise Wireless Deployments

if networkDict['type'] == 'WPA2 Enterprise': # Generate the profile exportLionProfile = genLionProfile(networkDict) arguments = [ profiles, "-I", "-v", "-f", '-F', exportLionProfile ] profilesExecute(arguments) # Removing the temp profile os.remove(exportLionProfile)

Thursday, September 19, 13

Page 19: Automating Enterprise Wireless Deployments

Demo: Self Service Portal

Thursday, September 19, 13

Page 20: Automating Enterprise Wireless Deployments

Demo: PasswordUtility

Thursday, September 19, 13

Page 21: Automating Enterprise Wireless Deployments

Issues with User authentication

Thursday, September 19, 13

Page 22: Automating Enterprise Wireless Deployments

Issues with User authentication

•Password rotation

Thursday, September 19, 13

Page 23: Automating Enterprise Wireless Deployments

Issues with User authentication

•Password rotation

•Help Desk password changes

Thursday, September 19, 13

Page 24: Automating Enterprise Wireless Deployments

Issues with User authentication

•Password rotation

•Help Desk password changes

•Mass password changes

Thursday, September 19, 13

Page 25: Automating Enterprise Wireless Deployments

Using Machine Password

dsconfigad -passinterval 0Thursday, September 19, 13

Page 26: Automating Enterprise Wireless Deployments

Auto Enrollment

Thursday, September 19, 13

Page 27: Automating Enterprise Wireless Deployments

Auto Enrollment

Thursday, September 19, 13

Page 28: Automating Enterprise Wireless Deployments

Certificite Authority Web Enrollment

Thursday, September 19, 13

Page 29: Automating Enterprise Wireless Deployments

Windows Integrated Authentication

• SPNEGO

• Kerberos

• curl --negotiate

Thursday, September 19, 13

Page 30: Automating Enterprise Wireless Deployments

Windows Integrated Authentication

• SPNEGO

• Kerberos

• curl --negotiate

Thursday, September 19, 13

Page 31: Automating Enterprise Wireless Deployments

SPNEGO Negotiation

•reverse DNS

•time

•Able to contact KDC

curl win-7po3b92m2fp.wallcity.org

Thursday, September 19, 13

Page 32: Automating Enterprise Wireless Deployments

ca.ad.com/certsrv

Thursday, September 19, 13

Page 33: Automating Enterprise Wireless Deployments

ca.ad.com/certsrv

Thursday, September 19, 13

Page 34: Automating Enterprise Wireless Deployments

Certificate templates

• http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx

Thursday, September 19, 13

http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx
Page 35: Automating Enterprise Wireless Deployments

Certificate templates

• http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx

Thursday, September 19, 13

http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx
Page 36: Automating Enterprise Wireless Deployments

RADIUS Testing

• radtest user password rad.ad.com 0 sharedscret

• radtest -t mschap user password rad.ad.com 0 sharedscret

Thursday, September 19, 13

Page 37: Automating Enterprise Wireless Deployments

Access Certificate Templates

• Replicated via Active Directory

• Access control lists for Certificate Templates ( different then RADIUS)

Thursday, September 19, 13

Page 38: Automating Enterprise Wireless Deployments

Machine vs User template

curl -d "CertAttrib=CertificateTemplate:User%20Certificate"...

Thursday, September 19, 13

Page 39: Automating Enterprise Wireless Deployments

Machine vs User template

curl -d "CertAttrib=CertificateTemplate:User%20Certificate"...

Thursday, September 19, 13

Page 40: Automating Enterprise Wireless Deployments

Submit a CSR

curl -d "CertRequest=${ENCODED_CSR}"...

Thursday, September 19, 13

Page 41: Automating Enterprise Wireless Deployments

Submit a CSR

curl -d "CertRequest=${ENCODED_CSR}"...

Thursday, September 19, 13

Page 42: Automating Enterprise Wireless Deployments

Machine TGT

/usr/bin/kinit -k M-084737$Thursday, September 19, 13

Page 43: Automating Enterprise Wireless Deployments

LDAP

TGTHTTP

Thursday, September 19, 13

Page 44: Automating Enterprise Wireless Deployments

LDAP

TGT HTTP

Thursday, September 19, 13

Page 45: Automating Enterprise Wireless Deployments

LDAP

TGT HTTP

Thursday, September 19, 13

Page 46: Automating Enterprise Wireless Deployments

LDAP

TGTcurl

HTTP

Thursday, September 19, 13

Page 47: Automating Enterprise Wireless Deployments

LDAP

TGT

curl

HTTP

Thursday, September 19, 13

Page 48: Automating Enterprise Wireless Deployments

LDAP

TGT

curl

HTTP

Thursday, September 19, 13

Page 49: Automating Enterprise Wireless Deployments

LDAP

TGT

curl

HTTP

Thursday, September 19, 13

Page 50: Automating Enterprise Wireless Deployments

LDAP

TGT

curlHTTP

Thursday, September 19, 13

Page 51: Automating Enterprise Wireless Deployments

LDAP

TGT

curlHTTP

Thursday, September 19, 13

Page 52: Automating Enterprise Wireless Deployments

LDAP

TGT

curlHTTP

Thursday, September 19, 13

Page 53: Automating Enterprise Wireless Deployments

Request ID

• "${CA_URL}/certnew.cer?ReqID=${REQ_ID}&Enc=b64"

• curl --negotiate -u:

• reverse DNS required for Kerberos Service Ticket

• replication of Domain Contollers

Thursday, September 19, 13

Page 54: Automating Enterprise Wireless Deployments

LDAP

curl HTTP

Thursday, September 19, 13

Page 55: Automating Enterprise Wireless Deployments

LDAP

curl HTTP

Thursday, September 19, 13

Page 56: Automating Enterprise Wireless Deployments

LDAP

curl HTTP

Thursday, September 19, 13

Page 57: Automating Enterprise Wireless Deployments

LDAP

curl HTTP

Thursday, September 19, 13

Page 58: Automating Enterprise Wireless Deployments

LDAP

curl HTTP

Thursday, September 19, 13

Page 59: Automating Enterprise Wireless Deployments

userCertificate attribute

dscl localhost read /Search/Computers/M-938747$ userCertificate

Thursday, September 19, 13

Page 60: Automating Enterprise Wireless Deployments

Convert from DER to PEM

•openssl

•dscl

•xxd or just binascii in python

Thursday, September 19, 13

Page 61: Automating Enterprise Wireless Deployments

LDAP

dscl

Thursday, September 19, 13

Page 62: Automating Enterprise Wireless Deployments

LDAP

dscl

Thursday, September 19, 13

Page 63: Automating Enterprise Wireless Deployments

LDAPdscl

Thursday, September 19, 13

Page 64: Automating Enterprise Wireless Deployments

LDAP

dscl

Thursday, September 19, 13

Page 65: Automating Enterprise Wireless Deployments

security

Thursday, September 19, 13

Page 66: Automating Enterprise Wireless Deployments

LDAP

Thursday, September 19, 13

Page 67: Automating Enterprise Wireless Deployments

LDAP

Thursday, September 19, 13

Page 68: Automating Enterprise Wireless Deployments

LDAP

Thursday, September 19, 13

Page 69: Automating Enterprise Wireless Deployments

LDAP

Thursday, September 19, 13

Page 70: Automating Enterprise Wireless Deployments

LDAP

Thursday, September 19, 13

Page 71: Automating Enterprise Wireless Deployments

LDAP

Thursday, September 19, 13

Page 72: Automating Enterprise Wireless Deployments

LDAP

Thursday, September 19, 13

Page 73: Automating Enterprise Wireless Deployments

ADCertificatePayloadPlugin

• Introduces on 10.7

• Supports Machine TGT style authentication

• Limited scope of OS Support deprecated in favor of DCE/RPC

Thursday, September 19, 13

Page 74: Automating Enterprise Wireless Deployments

DCE/RPC Distributed Computing Environment / Remote Procedure Call

Thursday, September 19, 13

Page 75: Automating Enterprise Wireless Deployments

To Do

•wifiutil --autoenroll curl

•wifiutil --autoenroll profile

Thursday, September 19, 13

Page 76: Automating Enterprise Wireless Deployments

Common Issues

• Machine joins with same Mac Address (join existing account)

• Certificate Expiration (set by template)

• eapolclient needs keychain ACL set in older operating systems

• security -k not honored in 10.7 or 10.8 ( Keys exportable )

Thursday, September 19, 13

https://discussions.apple.com/message/6904738#6904738
https://discussions.apple.com/message/6904738#6904738
Page 77: Automating Enterprise Wireless Deployments

Debugging

/System/Library/C/S/airport debug +AllUserland

LogLevel in com.apple.eap.profiles.plist

/var/log/eapolclient

http://pastie.org/pastes/265251

Thursday, September 19, 13

http://pastie.org/pastes/265251
http://pastie.org/pastes/265251
Page 78: Automating Enterprise Wireless Deployments

Open Source Solutions

• openssl command line ( or I guess the Certificate Assistant)

• IPA - (389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag certificate system, SSSD and others.)

• http://www.freeipa.org

Thursday, September 19, 13

http://directory.fedoraproject.org/
http://directory.fedoraproject.org/
http://k5wiki.kerberos.org/wiki/Main_Page
http://k5wiki.kerberos.org/wiki/Main_Page
https://fedorahosted.org/bind-dyndb-ldap/
https://fedorahosted.org/bind-dyndb-ldap/
http://pki.fedoraproject.org/
http://pki.fedoraproject.org/
https://fedorahosted.org/sssd/
https://fedorahosted.org/sssd/
http://www.freeipa.org/
http://www.freeipa.org/
Page 79: Automating Enterprise Wireless Deployments

Puppet as a Certificate Authority

• puppet agent -t (submits the certificate signing request)

•puppet cert --sign agent.puppetlabs.com

•puppet cert --generate ipad.puppetlabs.com

Thursday, September 19, 13

Page 80: Automating Enterprise Wireless Deployments

StrongSWAN

Thursday, September 19, 13

Page 81: Automating Enterprise Wireless Deployments

Network Device Enrollment

Thursday, September 19, 13

Page 82: Automating Enterprise Wireless Deployments

Thursday, September 19, 13

Page 83: Automating Enterprise Wireless Deployments

Thursday, September 19, 13

Page 84: Automating Enterprise Wireless Deployments

WirelessConfighttp://tinyurl.com/bananas13

Thursday, September 19, 13

http://bit.ly/151YAe4
http://bit.ly/151YAe4

Related Documents
Automating Deployments with Octopus Deploy Regain your sanity and confidence with consistent and reliable automated deployments using Octopus Deploy. Octopus.
Automating Deployments with Octopus Deploy Regain your...
Category: Documents
Microso Stack Automating Database - Redgate€¦ · Automating Database Deployments on the Microso Stack. Ro b R i c h a rds o n Soware Crasman and Microso MVP @rob_rich / our task:
Microso Stack Automating Database - Redgate€¦ ·...
Category: Documents
Experiences and Challenges in Campaign Style Deployments using Wireless Sensor Networks
Experiences and Challenges in Campaign Style Deployments...
Category: Documents
NetMotion Wireless Seven Essential Practices for Utility Mobile Data Deployments eBook
NetMotion Wireless Seven Essential Practices for Utility...
Category: Technology
Wireless Solutions for Smart Grid deployments Alok Sharma, Aviat Networks
Wireless Solutions for Smart Grid deployments Alok Sharma,.....
Category: Documents
Evolved MVNO Architectures for Converged Wireless Deployments
Evolved MVNO Architectures for Converged Wireless...
Category: Documents
How moving to AWS and automating deployments boosted the ... · Attaché’s software ran on an incumbent hosting provider with deployments via shell scripts. As Attaché’s SaaS
How moving to AWS and automating deployments boosted the...
Category: Documents
Bluetooth Low Energy in Wireless PKI deployments
Bluetooth Low Energy in Wireless PKI deployments
Category: Documents
Windows 2003 and 802.1x Secure Wireless Deployments.
Windows 2003 and 802.1x Secure Wireless Deployments.
Category: Documents
Automating IPv6 Deployments - go6.si · Automating IPv6 Deployments Ivan Pepelnjak (ip@ipSpace.net) Network Architect ipSpace.net AG
Automating IPv6 Deployments - go6.si · Automating IPv6...
Category: Documents
OpenShift on Red Hat Virtualization Automating …blog.domb.net/wp-content/uploads/Automating-Container-Deployment... · applications, deployment configs, deployments, and services
OpenShift on Red Hat Virtualization Automating...
Category: Documents
Self-Management in Chaotic Wireless Deploymentspages.cs.wisc.edu/~akella/papers/chaotic-winet.pdfSelf-Management in Chaotic Wireless Deployments Aditya Akella Glenn Judd Srinivasan
Self-Management in Chaotic Wireless...
Category: Documents
Wireless Collaboration in Enterprise Environments · enterprise-like deployments in government or higher education, and non-enterprise environments for small business or K-12 deployments.
Wireless Collaboration in Enterprise Environments ·...
Category: Documents
Broadband deployments and products - TT · Broadband deployments and products Christoph Legutko Wireless Standards and Regulations Manager Intel Corporation, Global Public Policy
Broadband deployments and products - TT · Broadband...
Category: Documents
Sparky Industries a leading company delivering high end wireless broadband system deployments services
Sparky Industries a leading company delivering high end...
Category: Technology
Let’s Get Real! Non-Line-of-Sight Wireless Backhaul for LTE Picocell Deployments
Let’s Get Real! Non-Line-of-Sight Wireless Backhaul for...
Category: Technology
TriopusNet : Automating Wireless Sensor Network Deployment and Replacement in Pipeline Monitoring
TriopusNet : Automating Wireless Sensor Network Deployment....
Category: Documents
Automating Wireless Sensor Network Deployment and Replacement in Pipeline Monitoring
Automating Wireless Sensor Network Deployment and ...
Category: Documents
Automating Cross-Layer Diagnosis of Enterprise Wireless ...cseweb.ucsd.edu/~voelker/pubs/jigsaw-models-sigcomm07.pdf · Automating Cross-Layer Diagnosis of Enterprise Wireless Networks
Automating Cross-Layer Diagnosis of Enterprise Wireless...
Category: Documents
VMworld 2013: Vapp6124 automating v mware cloud and virtualization deployments with dell active infrastructure v final2
VMworld 2013: Vapp6124 automating v mware cloud and...
Category: Technology
MICROFLEX WIRELESS SYSTEMS®Wireless/MXW... · Wireless deployments, enabling AV / IT administrators to support campus-wide installations from one central platform • Microflex Wireless
MICROFLEX WIRELESS SYSTEMS®Wireless/MXW... · Wireless...
Category: Documents
CellSpectrum - An universal solution essential for advanced wireless deployments
CellSpectrum - An universal solution essential for advanced....
Category: Documents
Automating Cross-Layer Diagnosis of Enterprise Wireless ... · Automating Cross-Layer Diagnosis of Enterprise Wireless Networks ... Department of Computer Science and ... simple faults
Automating Cross-Layer Diagnosis of Enterprise Wireless...
Category: Documents
Scaling Enterprise Wireless LAN Deployments · Aruba Networks Scaling Enterprise Wireless LAN Deployments 3 As density increases, enterprises are employing strategies to migrate to
Scaling Enterprise Wireless LAN Deployments · Aruba...
Category: Documents
Automating Deployments with Octopus Deploy
Automating Deployments with Octopus Deploy
Category: Documents
Kluwer - Wireless Network Deployments
Kluwer - Wireless Network Deployments
Category: Documents
Self-Management in Chaotic Wireless Deployments
Self-Management in Chaotic Wireless Deployments
Category: Documents
Automating Infrastructure as a Service Deployments and monitoring – TEC213
Automating Infrastructure as a Service Deployments and...
Category: Technology
Design of in-building wireless networks deployments using ...oa.upm.es/31107/1/INVE_MEM_2014_175336.pdf · Design of in-building wireless networks deployments using evolutionary algorithms
Design of in-building wireless networks deployments using...
Category: Documents
Automating sleep stage classification using wireless ...
Automating sleep stage classification using wireless ...
Category: Documents