Skip to main content
Question

Has anyone connected a non-AD bound Mac to 802.1x Wi-Fi (System-Level)?

  • July 10, 2018
  • 3 replies
  • 49 views
russeller
Forum|alt.badge.img+16

I've been trying to slowly move away from binding my Macs to Active Directory and using tools like NoMAD. I want to be able to use SCEP in a ConfigurationProfile to request a cert with a challenge (pre-shared) password, but haven't been able to get it working. I'm looking to get the Mac connected (without using a users creds for shared computers) I get as far as the profile erring out with 

Unable to create X509 name from 'Subject' parts in SCEP payload

Has anyone got this working? Does it even work at all?

Here are the details of my macOS Configuration Profile:

macOS Configuration Profile

Level: Computer Level
Distribution: Automatic

Network Payload

Auto Join: Yes
Security Type: WPA2 Enterprise
Protocols: TLS
Identity Certificate: SCEP (Cert_Name)
QOS: Mark All Apps
Trusted Certificates: Root Internal CA

Certificate Payload

Certificates: Root CA

SCEP Payload

URL: http://path_to_ca.fqdn/certsrv/mscep/mscep.dll
Name: Cert_Name
Redistribute Profile: 14 Days
Subject: CN=$SERIALNUMBER $PROFILE_IDENTIFIER,OU=IT,O=Org_Name,L=City_Name,S=STATE_NAME,C=US
Subject Alternative Name: None
Challenge Type: Static
Retries: 3
Retry Delay: 3
Certificate Expiration Notification Threshold: 14
Key Size: 2048 (Admin set it to this in the Certificate Template)

    3 replies

    J
    Forum|alt.badge.img+11
    • JustDeWon
    • Contributor
    • July 11, 2018

    The best way that I got these to work was downloading the .mobileconfig profile and building it as a .pkg instead of a config profile. However, I wasn't getting the x509 error before I decided to go that route. The only time I saw that x509 error, is for AD bound machines, and the network team had to configure the customize attributes in the access-policy..

    russeller
    Forum|alt.badge.img+16
    • russeller
    • Author
    • Valued Contributor
    • July 11, 2018

    Thanks for the info @JustDeWon I forgot I had a policy in the JSS that was auto-rebinding Macs that were unbound during a check-in, so that was part of the issue. I finally got it working by downloading the Wi-Fi (SCEP) Configuration Profile I had for my iOS devices. Then, using the

    security cms -D -I /path/ios-wifi.mobileconfig | xmllint --format -

    command to export the data from the profile and creating a new .mobileconfig profile, changing all the uuid's with the uuidgen command to get different uuids for the profile (you could also just use the reverse dns naming), then I signed the profile with the

    security cms -S -N "[Signing Certificate]" -i "[input]" -o "[output]"

    command I got from this site. Now I just need to package it up and deploy it to my Macs and I can finally stop binding them to AD.

      J
      Forum|alt.badge.img+11
      • JustDeWon
      • Contributor
      • July 11, 2018

      @ssrussell , sounds good.. And that's similar to the way I do it on the Macs, I strip it first using the openssl smime -inform DER -verify -in /path/to/wifi.mobileconfig -noverify -out /path/to/wifi1.mobileconfig command...

      Then i convert it to a readable .plist using the plutil -convert xm1 /path/to/wifi1.mobileconfig command.. From there I'm able to create a package using composer and a post install script. I got this from here

      Good to know the command for iOS, as we don't have any iOS devices in JAMF as of now.

      Terms & ConditionsCookie settingsAccessibility statement