Help with 802.1x Wireless Payload

Are you using AD? If so try with the Checkbox on for Use Directory Authentication, and then leave the username and password fields blank.

You can also try to just leave the username and password fields blank anyways, and see if that gets you through.

I know that we are an EAP-FAST setup so I have that setup in ours. It will generally auto-check to use PAC with all those boxes checked under it.

Good Luck!

@qhle373

Yes we are using AD, sadly that fails and gives me the error "Authentication server is not responding".

Ah, I would check to make sure you have all of your network Certs in the config too. I saw that you have the Cisco one already. I've had to put 3 in ours because of our Aruba security. I've also added the Trusted Certificate Server names (duplicate names of the Trusted Certificates I have added in) to help along the process.

@qhle373

I've added the Cisco ACS5 certificate with the payload, the rest of the certificates are already trusted in the System Keychain (still fails). I'll talk with our Windows Sysadmin to get AD Certificates to pull down using a configuration profile, hopefully that smooths things over. I'll contact JAMF support if that fails.

I am currently using wpa2 enterprise, PEAP, and machine authentication with a handoff to the user credentials at login. The only difference I see is that I use directory authentication and not a service account. I am assuming you want the wireless to hand off authentication to the user when they log in? I also use the domain controller certs as well as our wireless cert(s) in our deployed config profile. Just to throw this out there, is your text box bound to the domain? Which OS are you working on? I have very easy success with 10.7 - 10.9 but earlier versions of 10.10 were a pain.

@pat.best

 I am assuming you want the wireless to hand off authentication to the user when they log in?

As in the end-user never gets prompted to enter Wi-Fi credentials? (iPads and Loaner Mac's)

Most of my tests were on OS X 10.10.3, I tried 10.9.5 which gave me the same results. And yes, all machines are bound to AD.

Even if it is trusted in their keychain already, you still need to add it into the configuration profile. It cannot pull a keychain item from a user that it has not authenticated yet. The config supplies that info to authentication server at that point.

@qhle373

When I manually sign into the Wi-Fi on a Mac (plain fashion way), it only asks me to trust the Cisco certificate. I'll give it a shot and reply back tomorrow!

to clarify, are AD users logging into the device? If so, do you want the typed login information to replace the machine authentication? That is the function of the "Use as a Login Window configuration" checkbox.

Just to chime in a me too...

I recently got this working on a handful of machines using WPA2 Enterprise and PEAP and directory authentication. I set up a login window profile so that AD users could authenticate wirelessly. To get it working I had to add both the wireless cert and domain controller cert to the profile. Once that was done they just started working (most of the time).

Lincoln

@pat.best

Yes AD users are logging on. But, I want the service account to be user throughout the session and not the user's information.

@Lincoln

I've added our CA and wireless cert, I still get the error "Authentication Server is not responding".

okay, so you will want to uncheck "Use as a login window configuration". You can use the AD service account or check the "use directory authentication" box". If you are using a service account I am pretty sure you don't need to specify the domain. Where I would go from here would be to dump all of the profiles from the test computer, remove any instance of your certs from all keychains, reboot, edit your configuration profile to include any domain controller and wireless authentication certs as well as the other settings discussed. Here are some screen shots describing how I have it in my mind:

@pat.best

Tried some more things, the Payload only works at the User Level. Whenever I switch it to the Computer Level, it fails to authenticate.

@Lincoln @pat.best

Odd question, would an expired wireless certificate be the reason this is failing?

I'm doing the same thing as @Abdiaziz and mine is failing.

Borrowed screenshots below

The SSID, which is hidden. WPA2 Enterprise and "use as login Window config".

PEAP, with a service account DomainService Account

Trusted the self singed, EXPIRED certificate

Of you have an expired cert, your wireless will certainly fail. I am not on a work computer right now so I am unable to cite an example, sorry

@pat.best

Thanks Pat. If you could link me to the article, I would like to pass it along to our network team!

Here is a decent article, Google search meraki common wireless radius configuration issues and troubleshooting step number one lists missing or expired certs. I would paste it but my phone is not cooperating. Hope this helps!

@Poseiden I am back at work and here are a couple links to help describe the process. Hope this helps!

Here is the link

and this article from Cisco

The above solution by @pat.best works for us in regards-to forcing authentication; however, is it possible for the Active Directory user to log-in to the Wireless Network utilizing their credentials without validating the certificate? Meaning...

Default behavior (without pushing the profile) on a Mac first has the User to log-in, then a dialog generates for the user to "trust" the certificate(s). For the sake of simplifying process for the end-user, it would be great if the latter dialog could be surpassed while still requiring log-in. Is that possible? Our Mac environment is 10.11.3.