Certificate Auto-Enrollment of Linux/Mac End Points for 802.1x EAP-TLS
The 802.1x IEEE standard provides identity-based access control at the network edge. When implemented with EAP-TLS and X.509 certificates it can provide excellent security and access control at the network port level. This document provides an overview of 802.1x and how to provide the required X.509 certificates on Linux/Mac end-points using automatic provisioning (auto-enrollment) from a Microsoft ADCS PKI.
CertAccord© Enterprise delivers automated X.509 certificate lifecycle management on Red Hat Enterprise Linux (RHEL), Ubuntu Server, and other Linux distributions as well as on MacOS based endpoints. It acts as an certificate management bridge between Microsoft ADCS and Linux/Mac endpoints to automate the Client Authentication certificates required for 802.1x EAP-TLS and other certificate consumers.
What Is 802.1x?
802.1x is an IEEE industry standard for controlling access at the layer-2 level of network switches and Local Area Networks (LAN). The standard is based on each user or device providing its identity to an authentication server to determine if access to the network is permitted. If access is permitted then the network port of the device is fully enabled. If not access is blocked/denied.
There are a number of methods provided in 802.1x for authentication. The most commonly used is based on EAP-TLS which is an IETF standard defined in RFC 2716. EAP-TLS uses X.509 certificates on the client-side and the server-side for mutual authentication. The server side is configured in a network product specific manner.
Each end-point runs a supplicant which is more commonly called an agent or an application which understands EAP-TLS. The end-point must have the following:
- Copy of trusted Certificate Authority certificates such as the Root CA certificate
- Its own X.509 certificate issued by a Certificate Authority trusted by the EAP-TLS authenticator
With a Windows end-point the Auto-Enrollment capability built into Windows can automatically provision the above. However, on Linux/Mac end-points this is often done manually which leads to higher costs, errors, and more security vulnerabilities. The best solution for this is to use CertAccord Enterprise to automate certificate management on Linux/Mac end-points.
Auto-Enrollment of Certificates on Linux/Mac for EAP-TLS
The CertAccord Enterprise certificate management solution provides auto-enrollment of X.509 certificates on Linux/Mac in a manner very similar to Windows. CertAccord acts as certificate management bridge between a Microsoft Active Directory Certificate Services (ADCS) PKI and Linux/Mac end-points. It provides the ability to automatically push (enroll) certificates to Linux/Mac end-points without any manual processes. Even better, it automatically manages the full life-cycle of certificates including automatic renewals.
You can quickly deploy CertAccord Enterprise in your environment and start creating certificates in a few hours.
Full Automation of wpa_supplicant
If you are using the wpa_supplicant client on Linux you can fully automate not only the creation of an X.509 certificate from Microsoft ADCS to Linux but you can automate the configuration of wpa_supplicant itself. This can be accomplished using our Certificate Appliers API. For a full example with a working Certificate Applier please visit:
How To Automate the Creation of 802.1X wpa_supplicant.conf on Linux With Microsoft PKI
The Certificate Appliers API can be used to automate virtually any 802.1x client, not just wpa_supplicant.
Summary
Securing your network with 802.1x EAP-TLS will significantly increase your security posture. Attempting to do this with manual certificate processes on Linux/Mac will be counter-productive both in security and frustration levels of staff. Using CertAccord Enterprise to auto-enroll Linux/Mac with X.509 certificates can meet the security and staff expectations you need to have a successful implementation.