Skip to main content

Is it possible to tell the machine which certificate to use for Machine Authentication to the 802.1x Wifi?

When I first make the connection I get a pop up like this:

and the dropdown list contains these two choices - is-m-00112 is the machine cert

Once selected and saved this works. I'm trying to automate the setup so there doesn't need to be any user input

@dlondon In the keychain look for a Identity preference that matches your SSID i.e. when your SSID is "Unifi" that could be 

com.apple.network.eap.user.identity.wlan.ssid.Unifi

You can set this by using security CLI tool within a script, you need the CN and the Fingerprint (sha-256) of the certificate in question.

to create an Identity preference for your example that would be something alike: 

security set-identity-preference -c 'is-m-00112' -Z '<hash-here>' -s 'com.apple.network.eap.user.identity.wlan.ssid.Unifi'

The script you'll use should have checks and balances, so read about how security CLI tool allows to clean existing identity preference, ie.

  1. get the CN for the local installed machine cert
  2. get the fingerprint of that cert i.e. use security get-identity-preference
  3. bail out if nothing there
  4. clean an existing IdentityPref (that may refer to an older cert)
  5. create IdentityPref, use security set-identity-preference ...provide values for CN, Fingerprint, SSID

read some basics -> https://ss64.com/osx/security-id.html

Thanks @h_stamerjohann - appreciate the help

What does your configuration profile look like? Also, where is that machine cert generated? It took some playing around to get our default template correct, but we auto join 2 wifi SSIDs (depending on where you're located). The SSID info, the AD certificate pulled from a cert issuing server, and then a root cert to trust that AD cert. We auto connect without issue. I have had problems getting Big Sur to auto-connect, but I'm early in my BS testing (yes, I know it's been out a while).

Hi @easyedc - yes you are using the AD cert and for some reason we went down the path of a machine cert created using an ADCS connector.

I have gone through the motions and set up a Configuration Profile using the AD Certificate item like you but didn't get to the test stage as the network guys had already configured their rules/filters to handle the machine cert from the ADCS connector

I did post the profile in https://www.jamf.com/jamf-nation/discussions/38530/802-1x-using-system-mode but here's a copy:

Great profile pic!

Terms & ConditionsCookie settingsAccessibility statement