IGELOSSecurity

Configure IGEL wifi SCEP with NDES Part 2

Now we are going to configure Igel profile to use it with SCEP:

  • First we create a New Profile, with the name f.e. SCEP
  • Then we go to NetworkWireless and we “Activate Wireless Interface
  • In Default Wi-fi Network, we are configuring our Corporate Wifi settings with our own values.
  • Just make sure you activate “Manage Certificates with SCEP (NDES)
  • We can add “Additional Wifi Networks” if we want the Igel shows you these networks always by default.
  • Next, we go to SCEP client (NDES)
  • Activate “Manage Certficates with SCEP
  • Next, we must fill correctly all the info related to the Certificate we created in the last post, with the same data.
This is the info you had to fill when you added the NDES Role

Type of common name …. : Choose DNS name (auto)

  • The following configuration is related to the CA and the fingerprint.
  • You need to specify your CA SERVERNAME in FQDN.
  • Very Important, the CA Certificate Fingerprint (MD5)This is the first value in the screenshot below·.
NDEs config ca 11

VERY IMPORTANT!! you get something like this “1ARR3456 4324J23J 4KJ234JJ 3K2J432H” but you must specified in IGEL profile in this format “1A:RR:34:56:43:24:JL:23:J4:KJ:23:4J:J3:K2:J4:32”


  • Finally, in the SCEP, we must add the SCEP server URL in this format “http://myserver.mydomain.com/certsrv/mscep
  • Add the “Challenge Password” provided in the last screenshot, in your NDES web interface.
  • Fill the Certificate renewal period you have configured.
  • Add the Certificate Expiry Check Intervals.

Now, all about Igel profile is done.

Once it is applied, we need to make the certificate request, I will show you here how to do it manually, but I have a script done for this.

1) Open an ssh session or a terminal session in the Igel device. The certifcates are stored in this path:

/wfs/scep_certificates/cert0/

2) First we check the CA status with the following command:

      scep_getca 0

3) Now we Generate the SCEP Request:

scep_mkrequest 0

You have to see a new file named client.csr

4) Finally we Enroll the certificate:

scep_enroll 0

We can check we have the client.cert

But you will be wondering how we put it all together, here we go..

Well, we are going to create an AD username with the same name as the Computer hostname we want to connect to NDES in AD.

So, for example, we want to connect a device named “PORTATDANPROBAK

For a better administration, we need to create a new OU named SCEP (f.e.).

Here , we are going to store all the Users(devices).

So Basically, if we do it manually, we have to follow these steps:

  1. Make the certificate Request in Igel device.
  2. Create a USER account in AD with the same netbios hostname as the device.
  3. Establish a complex password to this USER account.
  4. Remove or add the AD groups needed.
  5. Copy the client.cert file to any AD accesible share.
  6. Map the client.cert file to the AD USERNAME (device)

Now, if all is right configured, you can see your Igel Device connected to your Corporate Wifi.

I have created a powershell script to make it all more automatically.

The requirements for the script are the following:

  • In c:\apps\putty folder with all the putty exes.
  • Quest.ActiveRoles.ADManagement
Param(
    [string]$computername = (Read-Host "Enter Igel Device IP"),
            $cred         = "root",
    [string]$pscppath     = "c:\Apps\Putty\pscp.exe",
    [string]$plinkpath    = "c:\Apps\Putty\plink.exe"
	)

function GET-Temppassword() {
	Param(
		[int]$length=10,
		[string[]]$sourcedata
		)
	For ($loop=1; $loop –le $length; $loop++) {
		$TempPassword+=($sourcedata | GET-RANDOM)
		}
	return $TempPassword
	}

# Import  QuestAD moduke
Add-PSSnapin Quest.ActiveRoles.ADManagement

# Turns creds to clear text to be used by linux cmds. 
$linuser = $cred
$linpass = "yoursshpass"

iex "echo yes | cmd /c $plinkpath -pw $linpass ${linuser}@${computername} hostname"

Invoke-Expression @"
#echo yes | cmd /c $plinkpath -ssh -l $linuser -pw $linpass $computername hostname
#1.   Delete generated request
cmd /c $plinkpath -pw $linpass ${linuser}@${computername} rm -rf /wfs/scep-certificates/cert0/*

#2.   Check CA
cmd /c $plinkpath -pw $linpass ${linuser}@${computername} scep_getca 0

#3.   Generate SCEP Request
cmd /c $plinkpath -pw $linpass ${linuser}@${computername} scep_mkrequest 0

#4.   Enroll Certificate
cmd /c $plinkpath -pw $linpass ${linuser}@${computername} scep_enroll 0

"@

#Copy certificate to a shared folderñ
if(!$pass)    {$pass = 'sshpasswd'}
$usr          = 'root'
$srcfolder    = "/wfs/scep_certificates/cert0/client.cert"
$desfolder    = '\\shareserver\share\Certif\wifis\'
$name = iex "echo y | cmd /c $plinkpath -pw $linpass ${linuser}@${computername} hostname"
iex "cmd /c ${pscppath} -pw ${pass} ${usr}@${computername}:${srcfolder} ${desfolder}$name.cer"

#Generating user password
$ascii=$NULL;For ($a=33;$a –le 126;$a++) {$ascii+=,[char][byte]$a }
$password = GET-Temppassword –length 25 –sourcedata $ascii

#User creation
if ((Get-QADUser $name) -ne $null){
	Write-Host remove user $name because it does exist.
	Remove-QADObject -Identity $name -Force
	#We sleep 15 because sometimes AD controller is slow with changes
        sleep 15
	}
	
New-QADUser -Name $name -ParentContainer 'OU=SCEP,OU=Users,DC=your,DC=domain,DC=com' -samAccountName $name -UserPassword $password
sleep 15

Set-ADUser -Identity $name -CannotChangePassword:$true -PasswordNeverExpires $true
sleep 15
#Change user primary group to "remote...." after that we remove "Domain Users" group.
$group = get-adgroup "Remote Access Policy - Wireless Computers SCEP"
$groupSid = $group.sid
$GroupID = $groupSid.Value.Substring($groupSid.Value.LastIndexOf("-")+1)
Get-ADUser $name | Set-ADObject -Replace @{primaryGroupID="$GroupID"}
sleep 10

#Remove "Domain Users" , if somebody tries to use this user to logon.
Remove-QADMemberOf -Identity $nombre -Group "Domain Users"


write-Host !!!! IMPORTANT !!!!
Write-Host Remember to add the certificate located in  \\shareserver\share\Certif\wifis\ to the user $name created in the  OU SCEP
Write-Host

This is the script we use with our stuff when they prepare a laptop. Maybe is not well scripted but it is enough for us.

Comments (6)

  1. Some really quality articles on this web site , saved to bookmarks . Roseanna Horace Schug

  2. Do I have to perform the certificate request on every Igel TC or do I need an individual certificate and ad user per IGEL?

    • Yes, you need to perform the request in every Ige Tc. We do it with a script just connecting to the network and enter the TC ip address.

  3. Many thanks for the instructions,
    Unfortunately, I cannot create any users because a computer account with the same name already exists for printer management. At the moment I have the error that the Radius server cannot find the user and the IGEL cannot authenticate with the WLAN.
    Do you have any IDEA?

Comment here