Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

Enabling WPA2-Enterprise 802.1x with MobileIron

Managing devices through Mobile Device Management (MDM) systems has become an foundational part of most security environments. The ability to manage devices remotely saves tons of time, and the ability to monitor devices and keep them compliant has become an essential security operation. Now, organizations can factor in Device Trust, the ability to ensure a device is a trusted, managed, device, into their security decisions. 

However, not all organizations understand how to factor this Device Trust into their network authentication and authorization. The most common way is to use certificate-based 802.1x authentication, which is what we will configure in this guide using SecureW2’s JoinNow Connector PKI.

The above diagram shows a high-level overview of how the JoinNow Connector PKI solution works. We will be configure a SCEP Gateway, that our MobileIron managed devices can use to auto-enroll themselves for certificates, once MobileIron sends out the SCEP Profile. Once our device have certificates, they will then use a Wi-Fi profile that is pushed by our MDM to authenticate to the network using that certificate. Now, every managed device will have a unique and identifiable network connection, that can be segmented away from untrusted devices. 

Tech Overview

Before moving ahead, it is important to thoroughly understand what EAP-TLS, certificate-based 802.1x, is. EAP-TLS is a lightweight Extensible Authentication Protocol, that uses Transport Layer Security (TLS) for secure communication between the client and the authentication server. 

This means As part of the encrypted key exchange procedure, the client and server exchange EAP messages, including digital certificates, during EAP-TLS authentication. EAP-TLS, unlike other EAP methods such as EAP-Password or EAP-PEAP, EAP-Pre Shared Key, EAP – TTLS does not send plaintext passwords over the network, making it extremely resistant to password eavesdropping and dictionary attacks. This solution avoids the need for typical username and password credentials, resulting in a more effective security posture. It instead employs digital certificates, making it impervious to conventional authentication threats. 

EAP-Transport Layer Security is ideal for settings that need robust security and authentication, such as WPA2-Enterprise networks. EAP protocol equips the device with trustworthy certificates, providing safe authentication for Wi-Fi and other network services, making it an excellent alternative for organizations wishing to improve network security via certificate-based authentication.

Here are the brief steps for how we will enabling WPA2- Enterprise 802.1X with MobileIron in this guide:

  1. Using SecureW2’s Mobileiron PKI Services, begin by configuring the Intermediate CA, the actual MobileIron certificates format, and the SCEP (Simple Certificate Enrollment Protocol) Gateway URL.
  2. In the MobileIron management portal, upload your new Signing Certificate.
    • Certificates will now be trusted by your network and will integrate with Access Points from all major vendors.
  3. Enter the SCEP URL as the avenue in which the new certificate will be distributed.
  4. Prepare the Mobileiron SCEP and Wi-Fi Profiles for all managed devices.
    • Payloads will be sent via the SCEP URL and will equip the device with trusted certificates and your organization’s customized wireless settings.
    • Admins can sent out payloads enabling secure SCEP server authentication for Wi-Fi, VPN configuration, Desktop Logon, Web Apps, and much more.
  5. Once completed, requesting device certificate can begin and can be configured for a WPA2-Enterprise Extensible Authentication Protocol-TLS network protected by certificate-based security.
    • Managed devices will be authenticated by an existing RADIUS Server from any major vendor, or The SecureW2 Cloud RADIUS.

Configuring the Mobileiron SCEP Gateway with SecureW2

Prerequisites required to configure MobileIron with SecureW2.

  • Generate an SCEP URL and Shared Secret
  • Create an Intermediate CA for SCEP Gateway Integration
  • Add the Intermediate CA-ID to the SCEP URL

Generate an SCEP URL and Shared Secret

To generate the SCEP URL and secret, perform the following steps:

  1. Login in to your SecureW2 Management Portal.
  2. Navigate to Identity Management > API Tokens.
  3. Click Add API Token. The following screen appears:
  4.  Enter a name in the Name field. For example – MobileIron SCEP Token

  5. From the Type drop-down list, select SCEP Enrollment Token.

  6. From the Scep Vendor drop-down list, select MobileIron.

  7. Click Save. This downloads a .csv file containing the SCEP URL and secret.

NOTE: Save this file securely. This file is downloaded only once at the time of token creation. If you lose this file, you will not be able to retrieve the token or secret.

NOTE: You can also refer to the steps in Configuring API Tokens (SCEP Enrollment Token) in the JoinNow MultiOS and Connector Configuration Guide:

https://cloud.securew2.com/resources/guides/SecureW2_JoinNow_MultiOS_Configuration_Guide.pdf

Create an Intermediate Certificate Authority for SCEP Gateway Integration

As a best practice, SecureW2 recommends having a new intermediate CA for JoinNow SCEP (Simple Certificate Enrollment Protocol) Gateway integration with MobileIron. The CA issuing certificates to BYOD devices should be separate from the CA issuing certificates to managed devices, because managed devices do not require email notifications. You can disable email notifications for the dedicated CA certificates to MobileIron managed devices.

To create a new intermediate CA, perform the following steps:

  1. From your SecureW2 Management Portal, go to PKI Management > Certificate Authorities.
  2. Click Add Certificate Authority.
  3. In the Basic section, click the Type dropdown list and select Intermediate CA.
  4. Click the Certificate Authority dropdown list and select the default Root CA that comes with your organization.
  5. For Common Name, enter a name (For example – Mobileiron SCEP). SecureW2 recommends a name that includes SCEP.

  6. Click Save. This generates the new intermediate CA.

  7. As a best practice, most organizations will also create a new Certificate Template, which can be found in the PKI ManagementCertificate Authorities section. 

Add the Intermediate CA-ID to the SCEP URL

To add the intermediate CA-ID to the Certificate enrollment protocol SCEP URL, perform the following steps:

  1. Login in to your SecureW2 Management Portal.
  2. Navigate to PKI Management > Certificate Authority.
  3. For the CA you created in the section “Create an Intermediate CA for SCEP Gateway Integration”, click View.
  4. In the CRL section, in Base or Delta, copy the URL.
  5. Paste the Base/Delta URL into a blank document.
  6. Open the CSV file you downloaded in the section “Generate an SCEP URL and Shared Secret” on page 4.
  7. Copy the MobileIron SCEP URL and paste it into the blank document with the Base/Delta URL.
  8. From the Base/Delta URL, copy the CA-ID portion.
  9. In the SCEP URL, replace the existing CA-ID portion with the one you copied from the Base/bDelta URL.
  10. Copy the new SCEP URL and paste it into the .csv file.
  11. Save the .csv file.

Configuring MobileIron for Cloud Environments

This section describes the process to configure MobileIron with SecureW2 in the cloud. The following are the high-level tasks to configure MobileIron.

  • Creating a SCEP Certificate Profile
  • Creating a MobileIron Certificate Profile
  • Creating a Wi-Fi Profile

Creating A MobileIron Simple Certificate Enrollment Protocol (SCEP Configuration) Certificate Profile

To create a SCEP certificate profile, perform the following steps:

  1. Login to MobileIron.
  2. Navigate to SCEP Configuration and click Add.
  3. Select Identity Certificate.
  4. Add a Name for Configuration Setup.
  5. Select SCEP Configuration > iOS Configuration.
  6. Select Identity Certificate (SCEP).
  7. Enter the Certificate enrollment protocol SCEP URL that you received from the SecureW2 Management Portal in the URL field.

  8. In the CA Identifier field, enter the Intermediate CA name, which you can find from the SecureW2 Management Portal.

  9. In the Subject field, enter CN=${<value>}. You can enter any desired value for <value>. For example, CN = ${userLastName}. Here is the URL to access the list of MobileIron variables:
    http://mi.extendedhelp.mobileiron.com/53/all/en/desktop/Variables.htm

  10. In the Subject Alternate Name Type field, select RFC 822 Name from the drop-down.

  11. In the Subject Alternate Name Value field, enter any desired variables separated by semicolon. For example:

    ${userFirstName};;${deviceWifiMacAddress};${userEmailAddress}.

    NOTE: There are two semicolons at the beginning of the second variable.

  12. In the Challenge field, enter the pre shared key that you had received from the SecureW2 Management Portal along with the SCEP URL.

  13. Set the Key Size to 2048.

  14. Enable Digital Signature and Use as key encipherment.

  15. Click Next and choose how you want to distribute the profile.

     

Creating a MobileIron Certificate Profile

In this profile, we add the Root CA of the RADIUS server certificates for trust. To do so, perform the following configuration steps:

  1. Login to MobileIron.
  2. Navigate to Configuration > Add > Certificate.
  3. Enter the profile a common name and drag and drop the Root certificate of the RADIUS server certificates.
  4. If you are using the SecureW2 Cloud Radius server, then you would need to upload the DigiCert Global Root CA. This varies based on the RADIUS server that is being used.
  5. Click Next and choose how you want to distribute the profile.

Creating a Wi-Fi Profile

This profile configures the device to connect to a secured SSID using the certificate for a EAP-TLS connection.

  1. Login to MobileIron.
  2. Navigate to Configuration > Add > Wi-Fi.
  3. Enter profile with a common name.
  4. In the Service Set Identifier (SSID) field, enter a secured/802.1x SSID name.
  5. Select the Auto Join checkbox.
  6. From the Security Type drop-down, select WPA2-Enterprise.

  7. Select the Protocols tab.

  8. Select TLS as the Accepted EAP Types.

  9. Select the Authentication tab.

  10. From the Identity Certificate drop-down list, select the SCEP certificate profile name that you created in section “Creating a SCEP Certificate Profile.”

  11. Select the Trust tab.

  12. From Trusted Certificates select the certificate profile name that you created in section “Creating a Certificate Profile.”
  13. In the Trusted Server Certificate Names, enter *.securew2.com if you are using SecureW2’s Cloud Radius. This varies depending on the RADIUS server that is being used.
  14. Click Next.
  15. Choose how you want to distribute the profile.

Supported Attributes for Mobile Iron are listed at the following URL:

http://mi.extendedhelp.mobileiron.com/53/all/en/desktop/Variables.htm

Configuring MobileIron For On-Premise Environments

The following are the high-level tasks to configure MobileIron.

  • Creating a SCEP Certificate Profile
  • Creating a Certificate Profile
  • Creating a Wi-Fi profile

Creating a SCEP Certificate Profile

First, create a SCEP certificate profile that will communicate with the SecureW2 Mobileiron PKI so that the device can auto-enroll themselves for certificates using the SecureW2 PKI.

To create a SCEP certificate profile, perform the following configuration steps:

  1. Login to MobileIron.
  2. Navigate to Policies & Config.
  3. Click Configuration.
    • Click Add New.
    • Select Certificate Enrollment.
    • Click SCEP.

After creating the profile, populate the profile with information about the SecureW2 SCEP Gateway API.

  1. Enter a name for the SCEP Certificate Profile in the Name field.
  2. Enter the SCEP URL that you had received from the SecureW2 Management Portal in the URL field.
  3. Enter the Intermediate CA name. This is referenced in the SecureW2 Management Portal as CA-Identifier.
  4. Subject: Enter CN=$ and any desired value can be entered. For example, CN = $USERID$.
  5. Key Usage: Select the Signing checkbox and the Encryption checkbox.
  6. Key Type: RSA
  7. Key Length: 2048
  8. CSR Signature Algorithm: SHA256
  9. Challenge Type: Manual
  10. Subject Alternate Name Type: Choose RFC 822 Name and choose any desired variables separated by semicolon. For example, $FIRST_NAME$;;$DEVICE_MAC$;$EMAIL$.

NOTE: There are two semicolons(;;) at the beginning of the second variable.

  1. Enter the private keys that you had received from SecureW2 when you created the API token.
  2. Test certificate and save the Profile.

Creating a Device Certificate Profile

Next, create a Certificate Profile where you will add the Root CA of the RADIUS server certificate for trust.

  1. Navigate to Policies & Config.
  2. Click Configuration.
  3. Click Add New.
  4. Select Certificates.

Next, give the profile a name and upload the Root certificate of the RADIUS server certificate. If you are using the SecureW2 cloud RADIUS server, then upload the DigiCert Global Root CA.

Creating a Wi-Fi Profile

Next, create a new Wi-Fi profile that uses SecureW2 SCEP certificate for EAP-TLS, certificatebased authentication. Here are the configuration steps – 

  1. Navigate to Policies & Config.
  2. Select Configuration.
  3. Click Add New.
  4. Select Wi-Fi. The following screen appears:

  5. Enter a profile a name in the Name field.

  6. Enter a network name in the Network Name (SSID) field.

  7. Select WPA2-Enterprise from the Authentication drop-down list.

  8. Select AES from the Data Encryption drop-down list.

  9. Enter the CN value of the RADIUS server certificate in the Trusted Certificate Names field. For example, *.securew2.com if you are using SecureW2 Cloud RADIUS.

  10. Select TLS as the Extensible Authentication Protocol Type.

  11. From the Identity Certificate drop-down list, select the SCEP certificate profile name that you created in section “Creating a SCEP Certificate Profile.”

  12. Select Auto Join under iOS Settings.

Troubleshooting

If the certificates are not getting issued after the setup is done, check the following steps again:

  1. Log into SecureW2 Management Portal, to check and confirm if the User Role Policy is mapped to the Mobile Iron API Token as Identity Provider. Similarly, make sure Enrollment Policy is mapped with the User Role and default Device Role.
  2. Check the SecureW2 Management Portal > Events section for any event messages such as Device Creation Failed. This message indicates that the attributes are not correctly mapped. From the MobileIron portal, make sure the Mobileiron SCEP profile is configured to send values in SAN Attribute using RFC822 and any desired attribute can be sent. The most common values are UDID and MAC Address.
  3. Try setting up SCEP URL and shared private key in the SCEP payload instead of setting up as SCEP proxy.
  4. Check the device behavior when it is not in a restricted environment.
  5. Only attributes sent in RFC822 can be used to encode on a certificate.
  6. If a connection to the secured SSID fails, check if the Root CA of the RADIUS server certificate is mapped (trusted) in the Wi-Fi profile.

Integrate MobileIron with SecureW2 to Enable WPA2-Enterprise / 802.1x

As you can see how seamlessly you can integrate MobileIron with our PKI for a reliable WPA2-Enterprise/802.1x authentication. By integrating with our onboarding solutions, your organization can benefit from improved network security without sacrificing user experience by using certificate-based authentication across Wi-Fi, VPN configuration, Web Apps, Desktop Logon, and PIV-backed Smart Cards. This setup also facilitates customizable access control while ensuring impenetrable security using our innovative policy engines, lowering the possibility of intrusions and unauthorized entry and access.

Some network administrators may be intimidated by installing a certificate-driven network. However, the procedure becomes surprisingly simple when MDM like MobileIron are integrated with SecureW2’s Managed Cloud PKI. IT managers can easily create secure SCEP Gateways using our user-friendly Management Portal, organize networks into secure groups, and set up customized user profiles. Also, our Cloud RADIUS provides 100% passwordless security using EAP-TLS protocol and integrates with almost all cloud IDPs like Azure AD, Okta, and Google for stronger network authentication flow. 

Want to learn more? Our team of experts is always standing by to answer any queries. Contact us for a free demo or explore how this solution might be tailored to your requirements. 

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing