Jamf Connect login not working with Corporate WiFi

Samstar777
Contributor II

Hello,

Today, We found out the Jamf Connect login is not working when connected to our corporate WiFI network which is basically EAP/TLS machine level cert auth with auto-join configured through Configuration Profile.

 

Does anyone has any solution for this issue ? OR does anyone come across this issue ?

 

Note: Jamf Connect Login works perfectly fine on home network / mobile hotspot.

1 ACCEPTED SOLUTION

Screenshot 2022-01-03 at 8.39.38 PM.pngYou just need to send a computer level SCEP profile which provide a device based certificate and also has your network wifi configuration to auto join along with your root CA and EAP TLS trust to root CA.

View solution in original post

19 REPLIES 19

ChaseEndy
New Contributor III

We have the same issue with Jamf Connect and our enterprise network, we are using PEAP user level cert with auto join. Our users cannot join our WPA2 Enterprise network at the Jamf Connect login screen even when they are passing their district credentials. Once they're logged into the machine the user can then enter and connect using their credentials. Right now we have a SSID that we are passing the password for via profile to machines so they can authenticate through to login and get to the Home Screen. Which when they get to the home screen they can use their district credentials to log into the Wifi. 

Naveen_R
New Contributor II

Wifi connection at JAMF Connect login screen is not capable of connecting to networks which depends on Radius Server for user authentication.

Refer to Network requirements section for more infomration.
General Requirements - Jamf Connect Administrator's Guide | Jamf

 

srochford
New Contributor II

Thanks for that link. There's a section which says "If you are using an 802.1x RADIUS server for certificate-based authentication on your organization's network, you must make sure to distribute 802.1x settings at the computer-level" but gives no indication of how to set it up. Does anyone know what I need to do? Is there some kind of profile or policy that I need to implement to get the 802.1x settings in place?

Screenshot 2022-01-03 at 8.39.38 PM.pngYou just need to send a computer level SCEP profile which provide a device based certificate and also has your network wifi configuration to auto join along with your root CA and EAP TLS trust to root CA.

TomDay
Release Candidate Programs Tester

Possible to see what your SCEP payload looks like here?

MannyKrishna
New Contributor II

i have done all these settings but i m unable to connect wifi at login screen. it is asking credentials to connect but on the same wifi i am able to connect post login via certificate authetication.

Pls advise

husnudagidir
Contributor

Hi,

Has anyone been able to resolve this issue? In our company, user-based authentication is done, not device-based  to connect to the WIFI network.

husnudagidir
Contributor

Hi Everyone,

I solved the 802.1x problem. You can contact me here to find out how to solve the problem.

rolfk
New Contributor II

Hello husnudagidir

 

What was your solution ?

We have exactly the same problem. Please post your solution here for the benefit to everyone.

 

Regards

Rolf

Hi,

 

We use Aruba brand Access Points in our WIFI network. 802.1x is used to connect to the network through these products and we include users in the network by verifying with a certificate. At this stage, identity and certificate verification is done with an application called ClearPass. The ClearPass application also serves as an MDM server and SCEP server. When we connect to Access Points, the ClearPass application sends a profile file to users via a web interface. Actually the whole solution is contained in this profile file settings. We changed the part specified as "user" in the settings of this configuration profile file, sent to MacOS devices by the ClearPass application, to "system". Thus, as soon as our MacOS device was turned on, the user was able to connect to the network automatically without logging in. If the application you use is ClearPass, I can support this article with screenshots.

Hi rolfk,

 

We use Aruba brand Access Points in our WIFI network. 802.1x is used to connect to the network through these products and we include users in the network by verifying with a certificate. At this stage, identity and certificate verification is done with an application called ClearPass. The ClearPass application also serves as an MDM server and SCEP server. When we connect to Access Points, the ClearPass application sends a profile file to users via a web interface. Actually the whole solution is contained in this profile file settings. We changed the part specified as "user" in the settings of this configuration profile file, sent to MacOS devices by the ClearPass application, to "system". Thus, as soon as our MacOS device was turned on, the user was able to connect to the network automatically without logging in. If the application you use is ClearPass, I support this article with screenshots. You can use the screenshot below. After making this change, you need to delete and reinstall the WIFI profile on the macOS device. After this step, the problem disappears.

 

Provisioning_Settings__.png

Would you mind sharing your service profile that allows for the authentication of i-devices to your network??

I have to set up something similar for ipads to connect to our corporate network using certificates pushed from JAMF using device authentication. They don't want users to have to enter a password. 

I appreciate it!!

MannyKrishna
New Contributor II

u have to enroll machine base certificate to get authenticate wifi and it supports only EAP-TLS authentication but PEAP(user authentication ) so it works only with machine base authentication

and map root CA in your wifi radius server for validation

Yes. Already the full solution to this problem is to do machine-based authentication. Because when devices enter the environment, they must be connected to the internet without being dependent on user authentication. Otherwise Jamf Connect will not work.

kennetha
New Contributor III

This is not a solution, but a workaround. Not all enterprises allow or want to allow device based authentication. This has been on the known issues list for a while now. I will create another support case on this. We had a ticket in a while back, but just got the standard device based workaround answer. I don’t see how this is a technical limitation, user based authentication works just fine in macOS. If it is a limitation by Apple, we should put some pressure in that direction as well.

Hi,

 

For us, this is not a temporary solution. Since device-based verification occurs after verification and approval by IT teams, it does not pose a risk to information security as all necessary protocols are implemented. It is not possible for an external device to join the network in any way. It is safe because it uses 802.1x and certificates and works with the profile support sent to this device by ClearPass.

Hi, would you be able to explain this a bit more? I am new to Jamf and running into this as well. We user ClearPass.

Hi,

Can you tell me exactly what you want to do and what your goal is? I think I can help you. We also use Clearpass in our environment. I would be happy to share my experiences and solutions.

My current problem is that when we're in our corporate WIFI and do a fresh restart/reboot, we cannot login as we get a blank window at our SSO login screen. If I am hardwired, I have no issues, but if I am on wifi I have to turn wifi off and use the Local login. This isn't a great user experience, so I am trying to figure out what I am missing to get this working correctly while on WIFI, I am just too new to Jamf that I am not sure what I am missing. We currently push our Corp WIFI profile via Jamf and there are no issues once our Users log into the machine, there's no issues if the laptop wakes up from sleep mode, wifi connects fine. This happens on a fresh start-up at the initial SSO login. Appreciate any guidance. Thanks