Skip to main content

This might be a stupid question, but when I create a profile via JSS for Ethernet with PEAP authentication and check the box for "Use Directory Authentication". After I click save and go back to edit the profile, the checkbox is unchecked. Therefore when I export the profile it doesn't work saying missing parameter "UserPassword".



I spun up JSS 9.2 in a test lab and tried to create the profile there the checkbox does save, but there are no fields to type in $COMPUTERNAME that worked in 8.x and once again the profile won't work.



Currently we have a script that we use to fill in computer name and password at run time before importing the profile, which works. I'm hoping to get away from relying on a script to accomplish this.



Almost identical profile for WIFI works without any issues.



I tried this in JSS 8.64 as well as 8.73.



Using profile generate via JSS 8.64, 8.73, 9.2 I keep getting:
Authenticating: can't prompt for missing properties <array> {
0: UserPassword
}

Yeah, you don't want to fill in the system's password, won't that change often?



Anyways, here is what my 802.1x PEAP directory authentication profle looks like. Running it in System mode means you should not need a username or password.



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>PayloadContent</key>

    <array>

        <dict>

            <key>AuthenticationMethod</key>

            <string>directory</string>

            <key>AutoJoin</key>

            <true/>

            <key>EAPClientConfiguration</key>

            <dict>

                <key>AcceptEAPTypes</key>

                <array>

                    <integer>25</integer>

                </array>

                <key>OneTimeUserPassword</key>

                <false/>

                <key>SystemModeCredentialsSource</key>

                <string>ActiveDirectory</string>

                <key>TTLSInnerAuthentication</key>

                <string>MSCHAPv2</string>

                <key>UserName</key>

                <string></string>

                <key>UserPassword</key>

                <string></string>

            </dict>

            <key>EncryptionType</key>

            <string>Any</string>

            <key>HIDDEN_NETWORK</key>

            <false/>

            <key>Interface</key>

            <string>FirstActiveEthernet</string>

            <key>PayloadDisplayName</key>

            <string>Ethernet 1</string>

            <key>PayloadEnabled</key>

            <true/>

            <key>PayloadIdentifier</key>

            <string>com.company.wired8021xconf</string>

            <key>PayloadType</key>

            <string>com.apple.firstactiveethernet.managed</string>

            <key>PayloadUUID</key>

            <string>bcfc0490-c46e-012f-52da-442c030cc3db</string>

            <key>PayloadVersion</key>

            <integer>1</integer>

            <key>ProxyType</key>

            <string>None</string>

            <key>SetupModes</key>

            <array>

                <string>System</string>

            </array>

        </dict>

    </array>

    <key>PayloadDescription</key>

    <string>Wired 802.1x Profile for wired networks</string>

    <key>PayloadDisplayName</key>

    <string>Wired 802.1x</string>

    <key>PayloadIdentifier</key>

    <string>com.company.wired8021x</string>

    <key>PayloadOrganization</key>

    <string>Company, Inc.</string>

    <key>PayloadRemovalDisallowed</key>

    <false/>

    <key>PayloadScope</key>

    <string>System</string>

    <key>PayloadType</key>

    <string>Configuration</string>

    <key>PayloadUUID</key>

    <string>8b825110-c46e-012f-52d8-442c030cc3db</string>

    <key>PayloadVersion</key>

    <integer>1</integer>

</dict>

</plist>

You're not crazy; that's broken in 8.X (but it works in 9.X). BTW, that field only works for computer auth if you're using Apple's built-in AD plugin (if you have Thursby or Centrify, computer auth won't work, but user auth will).

@alexjdale - Thank you, your plist helped me find exactly what i was missing.



<key>AuthenticationMethod</key>
<string>directory</string>



and



<key>SystemModeCredentialsSource</key>
<string>ActiveDirectory</string>



It works now 🙂



@JPDyson - Didn't work in 9.2 for me.

Hi All Brother!
If I want to use 802.1x PEAP authentication with the certificate. What should I do on mobileconfig file?
Anyone help plz

Somewhat a newb in regards to 802.1x setups via JAMF. What is the best way to set this up in JAMF 10.2? It looks to have been removed since 9. Scripting? Any help appreciated.

I have not JAMF program. so if you have any mobileconfig help send to me.
Thanks,

@Samdy It doesn't work like that. No one is going to give you a copy of the mobileconfig for accessing their protected network. That's like asking someone for their house keys so you can modify it to fit your house. Not only that, but the specifics of the configuration will depend on how your network is configured: Servers, certificates, IDs, passwords, etc. You should work with your network engineers to find out the details of what is needed to connect to your network. Since you do not have JamfPro, then you will need to look into Apple's Profile Manager to see where you can input the settings your network team gave you.

@AVmcclint You are so stupid no one give a specifics of the configuration mobileconfig files to someone. If you give to someone specifics of the configuration it means you are crazy but if you are kindly you will give a file that customized to someone that they didn't know the ways to create mobileconfig file.
I have no idea with you guy about what do you think.

well im sure he will give it to you now

Terms & ConditionsCookie settings