How to Configure EAP-TLS Authentication with ADFS

How to Configure EAP-TLS Authentication with ADFS

If you use Microsoft’s Active Directory Federation Services (ADFS), you can easily set up SAML authentication with SecureW2. Once configured, your network can efficiently distribute and authenticate digital certificates. The onboarding process requires users to follow only a few simple steps, and then they are authorized for uninterrupted network use for the life of the certificate.

As a user enrolls for a certificate, their attributes are used to determine the role and enrollment policies that will apply to that user. For example, a university might have differing attributes for students and professors; this way, they can segment access to specific applications, files, or websites based on the user’s attributes.

Through utilizing ADFS for identification, the certificate is tied to the identity of the user and device for the life of the certificate. The certificate cannot be transferred to another device, so the users on your network are always correctly identified.

To complete this process, we’ve summarized it to the following overview:

  1. Download the Metadata from ADFS
  2. Configure ADFS for SAML Authentication in the Microsoft Management Console
  3. Configure the Attribute Mapping in ADFS and SecureW2
  4. Configure the WPA2-Enterprise Network Policy Rules

 

Prerequisites

To configure SAML authentication with ADFS, make sure you meet the following prerequisites:

  • An active SecureW2 account
  • An active Cloud Connector subscription
  • JoinNow MultiOS Server

Note: The ADFS server must be publicly accessible and signed by a public CA certificate. Also, the metadata from the ADFS server is required to add trust with the SecureW2 servers.

 

Download The ADFS Metadata

  1. Access the ADFS server through your ADFS URL and Download and Save the ADFS Metadata
  2. From your SecureW2 Management Portal, go to Identity Management > Identity Providers
  3. Click Edit for the identity provider (IDP) you want to use for authentication
  4. Enter a Name, set the Type to SAML, and choose SAML Vendor as ADFS, and click Save and then Update

Configure the settings of the ADFS Identity Provider

  1. In the Identity Providers list that appears, click Edit on your newly created IDP
  2. Select the Configuration tab
  3. Under Identity Provider (IDP) Info, click Browse… in the Metadata section and Open the Metadata downloaded previously, and click Upload and Update
  4. Under Service Provider (SP) Info, for Metadata, click Download and save the metadata file (.XML) to your computer

 

Configure ADFS For SAML Authentication

  1. Run the mmc command to open the Microsoft Management Console
  2. Click File > Add/Remove Snap-in… 
  3. Add the ADFS Management to the Selected snap-ins: and click Ok

Connect ADFS for SAML authentication

  1. Select the main node ADFS, and in the left pane click Relying Party Trust
  2. In the right pane under Actions, select Add Relying Party Trust…
  3. Using the Add Relying Party Trust Wizard that appears, click Start (with the Claims aware bubble selected)
  4. Select Import data about the relying party from a file and click Browse to find and select the previously downloaded metadata, then click Next
  5. Enter a Display name and click Next
  6. Under Choose an access control policy, select whether to use a user blacklist or whitelist click Next, and click Next again on the next screen
    • Note: If you choose whitelist (Deny all users), you will need to grant access to users/groups at a later time
  7. To finish, click Close

 

Configure ADFS Attribute Rules

  1. Right-click the Relying Party Trust you created and select Edit Claim Issuance Policy…
  2. In the window that appears, click Add Rule 
  3. Ensure the Claim rule template is set to Send LDAP Attributes as Claims and click Next
  4. Enter a Claim rule name and change the Attribute store to Active Directory
  5. Configure LDAP to SAML attribute mapping based on your use case and click Finish > Apply > Ok
    • This will include the different attribute fields that will be populated with the IDP metadata

Display of the LDAP attributes imprinted on the certificate

  1. Right-click the relying party trust you created, and click Properties
  2. Select the Advanced tab and in the Secure hash algorithm dropdown, select SHA-1 and click Apply > Ok 
  3. Before beginning the next section, right-click the Relying Party Trust that was previously created and select Edit Claim Issuance Policy… 
  4. Select the newly created Rule and click Edit Rule
  5. Click View Rule Language… to read the attributes you created
    • You will make use of these in the SecureW2 Management Portal

 

Configure Attribute Mapping in SecureW2

  1. Open the SecureW2 Management Portal and in the Identity Providers screen, select Edit for the ADFS IDP that was previously created
  2. Click the Attribute Mapping tab and click Add
  3. Reference the Rules you have open to create the Local and Remote attributes
  4. For example, an attribute based on a user’s name would read:
    • Local Attribute: displayName
    • Remote Attribute: USER_DEFINED
    • In the new dialog box: Open the Rule Language in the Microsoft Console and copy the URL relating to the name attribute (See image below)
  5. Add an attribute for each Rule that was created and when finished click Update
    • You can close the Rule Language window that was open in the Microsoft Console

copy the Rule text from ADFS

 

Configure the WPA2-Enterprise Network Policies

  1. In the SecureW2 Management Portal under the Device Onboarding section, select Network Profiles
  2. Edit the network profile you have previously created by clicking Profile in the Policy Management section
  3. Click Add Profile Policy, enter a Name for the profile, and click Save
  4. Click the Conditions tab, select the profile you created in the Profile dropdown, and click Update
  5. Under Policy Management, select User Roles
  6. Click Add Role, enter a Name, and click Save
  7. Click the Conditions tab, select the Identity Provider you’ve created in the Identity Provider dropdown, and click Update
  8. Under Policy Management, click Enrollment > Edit on the DEFAULT ENROLLMENT POLICY
  9. Click the Conditions tab
  10. Select the User Role you created and the DEFAULT ROLE POLICY in the User Role dropdown (by holding CTRL to select both), and then click Update
  11. Whenever modifying the Profile Policy, you must Re-Publish the Network Profile after you have completed editing
    • Navigate to Network Profiles under Device Onboarding and click Re-publish on the Network Profile you created, and then click Ok

 

Conclusion

After publishing the Network Profile, you are configured to begin enrolling new users for digital certificates. Once equipped, the network is protected by the ironclad security of EAP-TLS certificate authentication. The authentication process is protected by the encrypted EAP tunnel as well as the asymmetric encryption of certificates. The process to configure the network to use ADFS for certificate identification simplifies the user experience substantially because all they have to do is follow the onboarding client, which can be completed in less than 5 minutes.

Click here for pricing to see if this cost-effective and secure solution will work for your organization.

Active Directory Federation Services is a registered trademark of Microsoft in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.