Monday, August 22, 2016

802.1x WiFi Profile for the AppleTV (3rd Generation)

Finally figured out the profile requirements to get an AppleTV (3rd gen) working with 802.1x wireless authentication. We employ an Aruba ClearPass (which does the authentication checking to Windows Active Directory). We did this as of 15 Aug 2016.

Requirements: 
  • Apple computer with Apple Configurator 2 installed (we used v2.2.1 (3C72))
  • Apple TV (3rd gen)
  • USB cable (normal-end to micro-end)
 Steps
  • Plug the micro-usb into the AppleTV and open the Apple Configurator 2 application on the Apple computer
  • Create a new profile and use the screenshots in the PDF below
  • Push the profile to the AppleTV
  • Test
Notes:
  • Observe we had to use "MSCHAPv2" after choosing  "TTLS" on the WiFi profile
  • Observe you probably only need your Root CA and Intermediate CA certificate (in our case DigiCert)
    • As a precaution, I included our local AD root CA and our ClearPass certificate
  • Many forums I read stated you need your Root CA *and* your Intermediate CA (to complete the trust chain)
References:
Apple 802.1x White Paper:
http://training.apple.com/pdf/WP_8021X_Authentication.pdf

Apple Configurator 2:
https://itunes.apple.com/us/app/apple-configurator-2/id1037126344?mt=12

Identify your Apple TV model:
https://support.apple.com/en-us/HT200008 


PDF of profile screenshots here:
https://drive.google.com/file/d/0B5ttjkGSReNeVEZqb1BheVczQ3c/view?usp=sharing


Posted by at No comments:

Sunday, February 14, 2016

Separate DNS Servers for Network Groups at Home - Working DHCP Conf File

I needed a way to have OpenDNS distributed to my kid's devices to filter their limited Internet usage.

 Using an OpenSUSE Leap Linux VM on an ESXi chassis, I created a DHCP scope that does just this.

 Only "known-clients" are given 8.8.8.8 for DNS. Known-clients are those with static mac-address entries in the conf file. "Unknown-clients" include everyone else (not listed with static mac-addresses).

 Note: I had to use the "allow" and "deny" statements (in both pools) to get this work.

Note: The firewall only allows certain devices to get to any public DNS. The children's devices are limited to DNS queries to OpenDNS only (even if a static IP is assigned).

option domain-name "home";
option routers 10.12.14.16;
option ntp-servers 0.pool.ntp.org;
default-lease-time 345600;
ddns-update-style none;
subnet 10.12.14.0 netmask 255.255.255.0 {
  default-lease-time 345600;
  max-lease-time 604800;
  host iPhone {
    option domain-name-servers 8.8.8.8, 8.8.4.4;
    hardware ethernet xx:xx:xx:xx:xx:xx;
    fixed-address 10.12.14.2;
  }
  pool { # id="LowRange"
    option domain-name-servers 8.8.8.8, 8.8.4.4;
    range 10.12.14.2 10.12.14.24;
    deny unknown-clients;
    allow known-clients;
  }
  pool { # id="highRange"
    option domain-name-servers 208.67.222.222, 208.67.220.220;
    allow unknown-clients;
    range 10.12.14.25 10.12.14.240;
    deny known-clients;
  }
  host IBMETH {
    hardware ethernet xx:xx:xx:xx:xx:xx;
  }
  host JiPad {
    hardware ethernet xx:xx:xx:xx:xx:xx;
  }
}
Posted by at No comments:
Subscribe to: Posts (Atom)