802.1x profiles

In my experience, clicking the Connect button for 802.1x will always cause it to ask for credentials/certificate, even if you already have them specified in the payload and keychain. It's absolutely terrible behavior. You pretty much have to create a profile that connects automatically.

That was our expected behavior for it to connect automatically. It has been working up until the upgrade to the latest JSS.

Rather than use the connect button, what happens when you toggle wifi off and then back on?

It looks like it attempts to connect but fails, almost as if it doesnt know what cert to use to authenticate.

I would check the system log for the failed connection. There may be an error you can resolve (something like an untrusted issuing CA cert).

I was having this issue with 9.5 and 9.61. I was told it was fixed in 9.6.2.

Thats hilarious... We were having nothing but luck with it on 9.6.1 9.62 is what broke it for us.

Add us to the "Me too" list. We're running 9.62 and I discovered that any computers imaged under 9.62 have this problem. 802.1x connections for Ethernet do not work but our 802.1x connections for WiFi do work. All Macs imaged under 9.3 or earlier still work fine across the board and our Network engineers assure us they have made no changes to the infrastructure. One difference is that if we manually select which certificate to use, it still does not accept it. This is a showstopper for us. I've got 30 new Macs that I need to deploy but if they can't get on the network, they are useless.

hope you guys are upgrading in a test environment before production so you're not dead in the water. Pretty much every upgrade we find something not working for us in the test environment...

Ugh sadly not... We went straight to prod because of some of the fixes. Didnt realize it wasnt working until 4 days after the upgrade on the latest imaged machine. Our current work around is just to have the user log on through a ethernet dongle and manually connect to the 802.1x network. Its not a good work around but its allowing us to at least function.

Clarification for our situation: we have both WiFi and Ethernet configured in our Profile using the same 802.1x settings and the same AD certificate. The WiFi connection works just fine. The Ethernet connection keeps asking to pick a cert but it rejects the cert that we know is correct every time. Even tried the wrong cert with expected results.
Info on what i've done in an attempt to fix this:
- I cloned the existing Profile and added it to a test Mac. No change in behavior.
- I took screenshots of the existing Profile and manually built a new Profile with the same settings that have always worked before. Added it to another test Mac. Still no change in behavior.
- I've watched the System.log on the client machines as we attempt to connect to the LAN and the only thing it says about this problem is "en0 EAP-TLS: authentication failed with status 1" - I've been told by the head of our networking team that no changes have been made to the 802.1x infrastructure.
- Up until today I have made ZERO changes to the Profile that had been working fine up until one of the recent JSS updates. For the record, we are running JSS 9.62.

Add me as a me, err not!?

In other words, we're not seeing issues with our 802.1x wireless profile deploying or being used since updating to 9.62.

It just works as it did before.

JAMF needs to perform better QA. I agree every upgrade there is always something new and many of those issues you cannot see if related to load in your test environment. 9.61 had a fv key escrow and an issue updating the computer denormalized tables so searches for systems that did not were not encrypted as per the report, if you went to the computer record it would show encrypted. 9.62 fixe this. But JAMF is on par with Apple in that stability for us comes usually in a .2 release :(

Has this been resolved in 9.63?

If people are still having issues, might be worth packaging up the mobile config file with the 802.1x pieces in it, installing it as a package during imaging, and then manually install the mobile config as part of an at reboot script during imaging (using apple's profiles command).

Edit: After install, you can remove the file as part of the at reboot script

What I had to end up doing is making a brand new profile with the same settings. I thought "cloning" the profile would essentially be the same thing, but the new profile worked instantly. JAMF support thought this was due to a "corrupt" profile, but I am not quite sure how that happens.

Hi All,

I am also experiencing a similar issue. The way our network is setup is as followings:

- Separate Profile on all wireless computers that connects the Login Window to our hidden management network.
- 802.1X Profile allows users to connect using AD credentials and transfers them to the correct wireless network and VLAN (Staff/Student).

I have got all this working again after some initial issues. The problem we have now is if the computer goes to sleep, is shut or wifi is toggled on and off the computer does not reconnect to wifi just looks like it is trying to connect.

The only solution I have found is to log off the machine and back on again. This is obviously not a great work around. We have teachers returning to school in a week and students in 2 weeks, has anyone come up with a work around?

EDIT: We are running 9.62, was planning to upgrade to 9.63.

Thanks,

Will

So you need to make sure that the PayloadCertificateUUID in com.apple.wifi.managed payload matches the PayloadUUID from the com.apple.ADCertificate.managed. I build our configuration profiles manually so I am not sure how you would verify this in the JSS UI, but that was the key for us to make sure that the system knew what cert to use.

I see this for Ethernet connections, but our Wi-Fi configuration works.

Seeing the same thing - an 802.1x profile for WiFi and Ethernet and AD Certificate, created in 9.62 (JSS now updated to 9.63), works for WiFi, but the Ethernet configuration coming from the profile fails unless you specify a custom config, and choose the machine cert (and, in our case, enter host/ in the username field, leaving password blank). Once configured it works, but my suspicion is that the JSS is not properly generating the wired 802.1x profile...

Just ran into this on a machine recently upgraded to Yosemite. 802.1x Wi-Fi profile works no problem.

Connect to Ethernet and the Mac throws up "Select Configuration" and the drop down choices are Default Configuration, and the Ethernet and Wi-Fi configurations from managed profiles.

Ethernet profile doesn't work, but if you select the Wi-Fi profile Mac OS will then prompt you to select the certificate. You can then select the machine certificate, leave the username field blank, and click connect. The Mac then connects to Ethernet using the Wi-Fi 802.1x profile.

This seems to be a recurring bug in JAMF. I've had similar issues appear in a point release, go away with another, only to come back in a later point release. It would be really nice if this bug could be fixed and not added back to the source code in a later release. ;)

We had to make a change to our 802.1x wireless profile for 10.10, but others have too outside of the JSS.

Back with 10.8, I had for change the NPS settings for the clients to connect.. (But using the same profile).. Link below, perhaps there are other things at play?

https://macmule.com/2014/05/19/error-10-8-clients-not-connecting-to-eap-tls-wireless-with-w2k8-nps/

Hi, I'm having the same issue.
I had a profile with two payloads: AD certificate and 802.1x settings for wifi.
It worked.
Now I have to add also the 802.1x authentication on the Ethernet interface and when I connect the cable for the first I have to manually select the wifi payload and machine certificate in order to successfully connect.
Any advice to automate this?
Thanks

Jack

I don't think you can craft a profile that will pull a certificate from another profile to use as identity credential. The certificate request payload and 802.1x payload selecting that certificate as a credential have to be in the same profile.

You might be able to add an AD certificate payload to your 802.1x wired profile such that the client will get 2 certificates but I am not sure. You may be relegated to manually selecting the identity credential on the interface that doesn't have the certificate payload.

There is also a bug in the jamf wired profile that the AD certificate is not passed as the identity credential. You'll have to create the profile in profile manager, sign it, and upload it as read only to the JSS.

Jack, you'll need to update your profile with a payload for wired ethernet in addition to wifi. It'll need to be in the same profile as the cert payload like Kaltsas said.
Also, watch out for issues with installing the profile with that payload. I'm not sure if apple has fixed the bug, but in Mavericks and Yosemite, if the Mac didn't have a built-in ethernet port or a wired ethernet adapter actually plugged in the profile would fail to install if it contained a wired ethernet 802.1x payload.
I've always generated these profiles using Profile Manager on OS X Server, and as long as I avoid the missing ethernet port situation, I've never had any problems with it.

The other option would be to use the security command in a script to create the identity preference for wired ethernet in the keychain manually. You'd need to know the hash or common name of the certificate to use for auth to do that.