- Jamf Nation Community
- Products
- Jamf Pro
- Re: 802.11x machine cert only connects after login
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
802.11x machine cert only connects after login
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-01-2023 03:52 PM
I have been playing with machine based certificates now on the macs, trying to get them to authenticate more cleanly to our environment. I ran into a problem. I can push the config profile, and i finally got it working. It installs an AD cert into the SYSTEM keychain. When you are logged in, it connects automatically and fine to the network using the machine certificate. yay...
However the problem, is if you reboot or logout, the network disconnects. The wireless in the top right goes connected for a few seconds, then goes faded (not connected) again shortly after. It might flap like that a few times. My radius server sees no connection attempt at the time, so its not really doing anything. Log on as an existing user, and all is well again.
anyone got any ideas? policy pushes out a certificate and a wireless profile in the same configuration profile. Using TLS, radius is NPS server. Certificate logon works fine on windows machines. Machine is active directory joined.
Labels:
- Labels:
-
certificate
-
radius
-
wifi
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-01-2023 07:40 PM
@wifichallenges Do you have FileVault enabled on your Macs? If so there is no network connectivity from the machine after a restart until a user logs in because the FV login screen isn't running the full macOS, it's running a pre-boot waiting for a user to enter account credentials with permission to unlock the drive. Only once the drive is unlocked does the fill macOS load with the Configuration Profile you've pushed for 802.11x network authentication.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-02-2023 09:12 AM
"sudo fdesetup status" reports that filevault is OFF on this test device i have.
I think maybe ill try another device see if it does it as well.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-02-2023 10:05 AM
@wifichallenges If you're not using FileVault my question would be does the Network payload in the Configuration Profile you're deploying have the "Use as a Login Window configuration" option set?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-03-2023 03:01 PM
I set it, made no difference. However i think i have bigger problems as i reimaged the laptop and now it wont connect at all with the certificate... I think i manually forced the connection previously to get it to work but i dont want to do that again. i want the config profile to do it all.
tried another laptop and used PEAP with a hardcoded username and password in the config profile and that does connect fine. Anyways i have a few months to solve this, before i give up and go hardcoded. Doesn't seem to be any way for a limited user to read the saved credentials, so that is good.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-03-2023 07:06 PM
@wifichallenges It's been over 5 years since I worked in an environment that allowed 802.11x network auth at the login window, so my memory isn't exactly fresh. As best I can recall the login window configuration authenticated the Wi-Fi connection using the AD computer record for the Mac, and when a user logged in the computer authenticated connection dropped and a new user authenticated connection was established.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-04-2023 09:49 AM
The problem there is that users credentials authenticate them to a limited network only for BYOD. Corporate network access is restricted to certificate based only for tighter control of what people can bring into the environment.
If they BYOD, they only get internet. So i dont think that will work for me.
Anyways i am going to keep plugging away at it but also i am going on holidays so i wont post for a bit. i have a few months to solve this before its really critical.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2023 07:29 PM - edited 08-02-2023 07:35 PM
I was able to get this working by setting the name of my setting my certificate subject to "CN=$USERNAME" and the RFC 822 Name to $USERNAME@domain.com. The radius server seems to accept this as a user authenticating and it automatically connects because it is a system cert. Perfect if you're using Jamf Connect Login.
I'm using the ADCS Connector though.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-03-2023 03:08 PM
I'd have to make a new certificate template to do that i think. Ill think about trying it. However many people have got this working with normal machine based certificates. The ADCS connector seems to only be used for non domain joined devices, correct? Because i have no problem acquiring a certificate as the macbook is domain joined.
