Certificate Auto-Enrollment of Linux/Mac End Points for 802.1x EAP-TLS
The 802.1x IEEE standard provides identity-based access control at the network edge. When implemented with EAP-TLS and X.509 certificates it can provide excellent security and access control at the network port level. This document provides an overview of 802.1x and how to provide the required X.509 certificates on Linux/Mac end-points using automatic provisioning (auto-enrollment) from a Microsoft ADCS PKI.
What Is 802.1x?
802.1x is an IEEE industry standard for controlling access at the layer-2 level of network switches and Local Area Networks (LAN). The standard is based on each user or device providing its identity to an authentication server to determine if access to the network is permitted. If access is permitted then the network port of the device is fully enabled. If not access is blocked/denied.
There are a number of methods provided in 802.1x for authentication. The most commonly used is based on EAP-TLS which is an IETF standard defined in RFC 2716. EAP-TLS uses X.509 certificates on the client-side and the server-side for mutual authentication. The server side is configured in a network product specific manner.
Each end-point runs a supplicant which is more commonly called an agent or an application which understands EAP-TLS. The end-point must have the following:
- Copy of trusted Certificate Authority certificates such as the Root CA certificate
- Its own X.509 certificate issued by a Certificate Authority trusted by the EAP-TLS authenticator
With a Windows end-point the Auto-Enrollment capability built into Windows can automatically provision the above. However, on Linux/Mac end-points this is often done manually which leads to higher costs, errors, and more security vulnerabilities. The best solution for this is to use CertAccord Enterprise to automate certificate management on Linux/Mac end-points.
Auto-Enrollment of Certificates on Linux/Mac for EAP-TLS
The CertAccord Enterprise certificate management solution provides auto-enrollment of X.509 certificates on Linux/Mac in a manner very similar to Windows. CertAccord acts as certificate management bridge between a Microsoft Active Directory Certificate Services (ADCS) PKI and Linux/Mac end-points. It provides the ability to automatically push (enroll) certificates to Linux/Mac end-points without any manual processes. Even better, it automatically manages the full life-cycle of certificates including automatic renewals.
You can quickly deploy CertAccord Enterprise in your environment and start creating certificates in a few hours.
Securing your network with 802.1x EAP-TLS will significantly increase your security posture. Attempting to do this with manual certificate processes on Linux/Mac will be counter-productive both in security and frustration levels of staff. Using CertAccord Enterprise to auto-enroll Linux/Mac with X.509 certificates can meet the security and staff expectations you need to have a successful implementation.