Skip to main content

Hi everyone,



I am having some problems on Configuration Profiles for 802.1x EAP-TLS. I would really appreciate some suggestions.



Currently, we are using two Configuration Profiles for the same SSID.
CP1: A "Computer level" profile that obtains a computer certificate from SCEP, obviously the computer certificate is stored in the system keychain.
CP2: A "User level" profile that obtains a user certificate from SCEP, which is stored in the login keychain.



Before a user logs in for the first time, CP1 is used to connect to WiFi. After a user logs in, CP2 installed and authenticate again using user certificate, which changes the IP address to another vlan according to user group in AD. The problem is after reboot, there is no more WiFi connection at login window. Seems CP2 overwrites CP1 so at login window, the computer is trying to apply CP2 which uses user certificate in the login keychain that is not available before user login.



I have tried the following but no luck:
1. tick the box "Use as a Login Window configuration" for CP1 (this option is not available for CP2) but it doesn't help.
2. I have also tried to modify CP2 to store the user certificate in system keychain, but whenever a user (say, IT admin) logs into a computer, his/her user certificate gets installed in system keychain, then other users in that computer can use that IT admin user's certificate to access our IT network - not good.
3. I have also tried using two different SSIDs for CP1 and CP2, but Mac seems to stick to the WiFi available on login screen (i.e., CP1), and does not switch to the SSID specified in CP2 after user logs in...



I believe I must missed something.. Really appreciate some suggestions.



Many thanks.



Cheers,
Jeffrey

:bump: for what it's worth... I am experiencing a similar issue where CP1 appears to be forgotten once CP2 user config is used. However, we use ttls along with root certs for both cp1 and cp2.

@bytea and @rickwhois



Im pretty sure there is a document somewhere stating Macs dont so both Machine and User auth. I struggled with this for quite a while. I tried looking for the documents but from my previous posts I found these two answers both conflicting:
"It’s possible to use System Mode and Login Window Mode together."
"If you have configured a System profile in your location, do not add a User or Login Window profile to that same location."



both of these from Apple documentation.....

I have the Apple whitepaper that @BOBW is talking about, found my old google link or I can post a direct link to the pdf here. I have been using system mode and login window mode profile since last year (WPA2 Ent,EAP-TLS,PEAP), as per @BOBW 's post it appears there may be a problem with adding additional profiles "If you have configured a System profile in your location, do not add a User or Login Window profile to that same location".

@BOBW and @LSinNY



Great discussion!



I think it is true that "System Mode" can be used in Login Window because in "System Mode" the configuration is stored in system keychain. On the other hand, seems we cannot use both System Profile and User Profile in the same location for the same SSID, right? If anyone has success in doing this please let us know. Much appreciated!

Hi @bytea / @BOBW 

We're looking at achieving the same setup that @bytea described in their original post.  Just wondering if you've had any success in this following your original messages?

 

Thanks

Hi Everyone,

I solved the 802.1x problem. You can contact me here to find out how to solve the problem.

Hi Everyone,

I solved the 802.1x problem. You can contact me here to find out how to solve the problem.


Why not just post it here for everyone to benefit?

Why not just post it here for everyone to benefit?


Hi,

Actually, I made the necessary explanations under a similar discussion title. I didn't want to write here again. Let me share its link with you.

Why not just post it here for everyone to benefit?


https://community.jamf.com/t5/jamf-pro/802-1x-machine-authentication-pre-login/m-p/301655#M265273

Hi,

 

If you switch to Aruba Central Cloud, this solution will not work for you. Because in cloud architecture, there is no option to download a profile to the system. I requested a feature request for this. I hope they make this happen.

Reply


Terms & ConditionsCookie settings