F.Y.I: Debug for RADIUS and macOS WPA2 issues

https://documentation.meraki.com/MR/Encryption_and_Authentication/Advanced_RADIUS_and_WPA2_Debugging_using_macOS

@esam Were you able to find a solution for this? I am running into the exact issue deploying Onelogin Radius authentication.

@shan3 & @esam facing the same issue, any help would be appreciated

same issue and not fixed in Jamf Pro 10.16.1 (maybe it's radius issue). the workaround is create a package with 802.1x wifi profile and a postinstall script. then use policy to deploy the 802.1x profile package.

#!/bin/bash

/usr/bin/profiles -I -F /path/to/802.1x.mobileconfig

Bumping this if only for that Meraki link. That got me exactly what I needed today! Thanks @takayuki

@shan3 @esam @smansoor @grahamfw - I got this working in our environment: OneLogin for RADIUS auth, JAMF for Profile/Cert Deployment, Meraki Network.

Check this out: https://onelogin.service-now.com/kb_view_customer.do?sysparm_article=KB0010466

If you have more specific questions for me, fire away! Also I am way more likely to respond on the Mac Admins Slack if you wanna find me there: Breck

@Br3ck Do your users have to change their OneLogin passwords regularly? If so, how does this affect the WiFi config on their machines? I ended up locking myself out of OL in my testing because I changed my password, but my Mac didn't know about it and kept trying to authenticate to OL RADIUS with my old pw. Any help on this would be much appreciated - its the only thing stopping me from deploying OL RADIUS here.

@typeraj - Hey Raj! So yeah we totally run into this and its clunky as hell... I've found the sure fire way to fix this is to delete the old keychain entry associated with your previous password. I have a little script that can do this I threw in Self Service for users. Sometimes it just works as you would expect though, MacOS prompts for the new password after it's been changed in OneLogin, the user puts it in and they are on their way. Do you have the ability to do cert based auth instead of username/pass? This is eventually where we want to get but we don't have a CA yet unfortunately.

@Br3ck I'd love to do cert based auth but its not an option for us at the moment. I do like the idea of a little SS script, its an extra step but I don't think our users will mind too much. Any chance you can share what you have? Happy to Slack you if you'd prefer.

@typeraj - for sure, see below. Keep in mind that if you have users using iCloud keychain that that is a whole other can of worms. I would honestly stop iCloud keychain on your fleet if you can. I haven't gotten around to it but there are some jamf nation threads with some hacky ways to prevent icloud keychain from working without fully blocking iCloud entirely. Also note that your user would need to be on ethernet for this SS mechanism to work... its all very ugly but hey very secure!

#!/bin/sh



#Determine the currently logged in user and save their account name as the loggedInUser

loggedInUser=$( ls -l /dev/console | awk '{print $3}' )



su "$loggedInUser" -c '/usr/bin/security delete-generic-password -s com.apple.network.eap.user.item.wlan.ssid.<INSERT SSID HERE>'



security delete-generic-password -l "<INSERT SSID HERE>" "/Library/Keychains/System.keychain"



exit 0

@Br3ck Thanks for sharing mate For iCloud Keychain, I tested a config profile with the restrictions payload and it seems to work well. If it was enabled on the Mac prior to receiving the profile, it just disables it silently and converts the keychain back to Local Items.