- Jamf Nation Community
- Products
- Jamf Connect
- Re: JAMF Connect with 802.1x Wi-Fi
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
JAMF Connect with 802.1x Wi-Fi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
We're in the process of getting ready to implement JAMF Connect for syncing local accounts with Entra. Our current Wi-Fi is 802.1x PEAP where users sign in with their username and password, which we were told is not compatible. We're looking into certificate based auth using machine certs, but haven't found a clear answer on how to make this work. Our PKI is Microsoft ADCS, so we run up against the strong mapping requirements. We don't have SCEP right now and we are hoping to not open anything for inbound communication as we don't host anything on site anymore and have no real dmz for hosting things. We also don't want to bind to AD as that's pretty terrible. Has anyone gotten this set up in a similar environment? Thanks!
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
You have heard right. You cannot do user based 802.1x authentication with Jamf Connect, 802.1x machine-based authentication works fine.
As for how to get to a point to where you can do 802.1x machine authentication that is a deeply personal question for your organization. We are in a similar boat, a Windows shop and we don’t nor ever will domain bind macs and ADCS cannot seem to be made happy. This is really a problem for the architecture teams to solve and how exactly they want radius to be configured. MacOS would be perfectly happy with a single certificate deployed to all devices for 802.1x, the question is if your security stances will allow for that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Yes, 802.1x machine authentication with Jamf Connect works well when configured properly. In my setup, we use SCEP (Simple Certificate Enrollment Protocol) to issue machine certificates from our internal PKI, specifically Microsoft Active Directory Certificate Services (ADCS). The certificates are deployed and renewed automatically via NDES (Network Device Enrollment Service), ensuring each Mac receives a valid machine certificate stored in the system keychain.
For Wi-Fi connectivity, the network profile is configured through Jamf Pro with 802.1x authentication, set to use the machine certificate for seamless auto-connection. This allows devices to authenticate without requiring user credentials, ensuring a more secure and automated experience.
Since authentication relies on Active Directory, the Mac must be domain-joined and must belong to a specific security group. Our RADIUS server, which in our case is Microsoft NPS, verifies security group membership before granting network access. If using Cisco ISE, policy sets must be adjusted to recognize the device identity rather than user authentication.
If domain binding is not an option, alternatives like a cloud-based PKI (such as Intune’s SCEP integration or Jamf PKI) can be used to issue and manage certificates. Additionally, when using Microsoft NPS, authentication should be configured for certificate-based authentication only, avoiding user-based methods.
This setup ensures a seamless, certificate-based machine authentication process, making Wi-Fi connectivity automatic and secure while reducing dependency on user credentials. Let me know if you need more details!
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
https://www.youtube.com/watch?v=jn0HTWKubFY&t=1s
The two links above provide a good explanation of the independent SCEP process we followed up to Jamf Pro 11.14. If you already have a PKI connection via the AD CS Connector, as of Jamf Pro 11.14, you can now use it for client certificates instead of SCEP.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
im curious into what others do, we started when on premise with the normal AD PKI machine cert EAP-TLS on a machine profile, then when we went cloud with an ADCS to get AD certs via a User cert this time with a UPN rather than machine with a user level profile.... now we come to fully jamf connect our macs...... wifi issues again with User profiles not supported by JC.
we have actually come unstuck recently due to our RADIUS servers getting patched and having Strong mapping on turned on without us realising:-
https://learn.jamf.com/en-US/bundle/technical-articles/page/Supporting_Microsoft_Active_Directory_St...
how you guys having fun with this as its driving us crazy with our RADIUS severs, right now we have a machine level profile with a user ADCS cert... just wish we could get the mapping sorted.
