Jamf Connect Login, 802.1x Wireless, ADCS Connector, Unbound

bwoods
Valued Contributor

Hello,

Has anyone successfully been able to connect to an 802.1x wireless network from the Jamf Connect Login screen while being unbound and using the ADCS Connector? If so, please share your Network/Certificate payloads.

 

Edit: After configuring this myself and helping many others with this issue, I've created a simple guide for those of you that need help below:

1. Configure one of the following:

A. ADCS Connector (expensive)

B SCEP PKI Cert (inexpensive)

2. Add the PKI Cert to your Jamf Pro Server.

3. Learn how your Radius server authenticates. (username, hostname, serial, etc)

4. Configure a Wireless configuration profile that contains the chain of trust for your radius server the ADCS/SCEP cert and trust these certs. The profile most also contain your wireless payload.

5. Deploy the profile. 

 

How to configure ADCS: https://youtu.be/oRkpkN1Z3aI

How to configure SCEP: Integrating with DigiCert Using Jamf Pro - Integrating with DigiCert Using Jamf Pro | Jamf

Open a ticket with Jamf Support: Ask for Benjamin Julian. In my experience he is the most knowledgable about 802.1X configurations.

15 REPLIES 15

walkerkierluk
New Contributor II

Our setup with AD-bound Macs was similar, and unfortunately we were not able to recreate it without being Bound, so we have machines logging in with a fixed secret account.

However, our old system had the "Use as a Login Window configuration" checked in our payload, which meant that when users logged into their domain accounts, the computer would re-authenticate to the network using their credentials (important for us as their VLAN and network access was determined based on AD groups). However, it seems that Jamf Connect ignores this setting in Jamf Pro.

If someone else has a solution for this, I'd love to hear it.

bwoods
Valued Contributor

@walkerkierluk I figured out how to do this without being bound. I'm planning on creating a new discussion on how to do it.

jakeobbe
New Contributor II

@bwoods Do you have any insight on it? Running into this issue now. Thanks!

bwoods
Valued Contributor

@user-ZPdAbvOnsK, happy to help. I guess this would be the best place to discuss. Let me know where you're having problems. Can you at least get your ADCS Connector profile to your clients?

jakeobbe
New Contributor II

Thanks bwoods, so the ADCS Connector does work, we have a machine cert rolled out based upon Serial Number (The thought was since Computer names can be changed so easily, we didn't want a bunch of certs being distributed). We use Cisco ISE that looks for machine certificates and based on certain criteria, will move the machine to the proper subnet.

We created a Network payload that includes the machine cert, along with the trusted chain certificates, and the Cisco ISE Certificate. The payload is also configured to be used with 802.1x on "Any Ethernet" and to use the machine cert for authentication. ISE never picks up the Certificate at all, and only if we create a "dummy" computer object in AD that matches the serial number of the machine, it will recognize and move the machine to the proper subnet. It sounds like it may be an ISE thing but I just want to make sure I'm not potentially missing something in the payload. Thank you!

bwoods
Valued Contributor

@jakeobbewe're using user based authentication in ISE. My certificate subject is CN=$USERNAME@domain.com, my SAN type is RFC R22 Name, and my SAN is $USERNAME@domain.com.

SCCM
Contributor III

@user-ZPdAbvOnsK ISE first checks for the cert on the machine and then normally looks for the computer object in AD before granting access unless. ISE can be setup not to do the search but i doubt your cyber or network teams would want that

bwoods
Valued Contributor

@user-ZPdAbvOnsK please contact me on the MacAdmins slack channel for more help. My username is brndnwds6 on there.

Justin13579
New Contributor III

bwoods - Unfortunately I can't get a proper invite on the MacAdmins slack channel so can't see the "working" deployment. We are in the exact same scenario and could use your insight.

Unbound. 
ADCS Connector working.
Targets Serial Number.
Once logged into the Mac - the 802.1x Immediately connects. But from Jamf Connect Login page - WiFi will not connect and only presents username/password field when everything is device based certs.

were you able to get this figured out? I'm dealing with the same problem

bwoods
Valued Contributor

You basically need to dupe your radius server into thinking your machine cert is a user cert. In your profile change the device level to computer and use $Username as the subject. Wireless should work at the login screen after doing this.

bwoods_0-1709224702000.png

 

husnudagidir
New Contributor III

Hi Everyone,

I solved the 802.1x problem. You can contact me here to find out how to solve the problem.

jalcantara
New Contributor II

Hello @husnudagidir  I would like to learn more about your solve for the 802.1x problem. Currently using Meraki Radius authentication with EAP-PEAP.

Hi jalcantara,

 

We use Aruba brand Access Points in our WIFI network. 802.1x is used to connect to the network through these products and we include users in the network by verifying with a certificate. At this stage, identity and certificate verification is done with an application called ClearPass. The ClearPass application also serves as an MDM server and SCEP server. When we connect to Access Points, the ClearPass application sends a profile file to users via a web interface. Actually the whole solution is contained in this profile file settings. We changed the part specified as "user" in the settings of this configuration profile file, sent to MacOS devices by the ClearPass application, to "system". Thus, as soon as our MacOS device was turned on, the user was able to connect to the network automatically without logging in. If the application you use is ClearPass, I can support this article with screenshots.

Hi jalcantara,

 

We use Aruba brand Access Points in our WIFI network. 802.1x is used to connect to the network through these products and we include users in the network by verifying with a certificate. At this stage, identity and certificate verification is done with an application called ClearPass. The ClearPass application also serves as an MDM server and SCEP server. When we connect to Access Points, the ClearPass application sends a profile file to users via a web interface. Actually the whole solution is contained in this profile file settings. We changed the part specified as "user" in the settings of this configuration profile file, sent to MacOS devices by the ClearPass application, to "system". Thus, as soon as our MacOS device was turned on, the user was able to connect to the network automatically without logging in. If the application you use is ClearPass, I support this article with screenshots. You can use the screenshot below. After making this change, you need to delete and reinstall the WIFI profile on the macOS device. After this step, the problem disappears.

 

Provisioning_Settings__.png