Jamf Nation Community

stevewood · ‎12-08-2010

We are getting ready to move to a new wireless network that uses 802.1x. I
want to make this conversion as easy as possible for my users, since they've
been used to not having to login to the wireless network forever. So I'm
trying to push the certificate out to the machines so that when my users
login, that's all they have to do. I'm using the following command in a
script to install the cert, after the cert has been copied to a location on
the machine:

security add-trusted-cert -d -r trustRoot -p eap -k
"/Library/Keychains/System.keychain"
"/Library/IntegerIT/activedirectory.integerdallas.local.pem"

After doing this, if I go to the machine and select the new wireless
network, I login with my credentials, and then I am presented with a dialog
to trust the certificate. If I check /Library/Security there is no Trust
Settings folder until I click through the dialog, which requires admin user
since the cert is in the System keychain.

If I try using the security command from the terminal, I get an error that
says:

SecTrustSettingsSetTrustSettings: One or more parameters passed to a
function were not valid.

Has anyone seen this error?

Any ideas on why the OS is not trusting the certificate? This is on 10.6.5
machines so far.

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

dhowell · ‎12-09-2010

We push out settings for wireless too. I Set it up on a computer from scratch and put the /Library/Preferences/System Configuration in a package in Casper. SO when they download it in casper it gives them this directory and then runs this script, casue we copy the Cert locally sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain /etc/certs/mycert.cer
then I rename it because the System Configuration also holds the name of the computer.

This works great for us.

D. Trey Howell ACMT, ACHDS, CCA
trey.howell at austinisd.org
Desktop Engineering
twitter @aisdmacgeek

stevewood · ‎12-10-2010

Just wanted to say thanks to Trey, to Dusty from JAMF, and to Chad for
On Thu, Dec 9, 2010 at 7:58 AM, <dhowell at austinisd.org> wrote:
responding to this. I wound up using both methods, security and
networksetup, to get the policy and certificate pushed.

Create a new Login Window Profile for 802.1x. Set the profile to use a
trusted certificate and point to your cert.
From terminal: networksetup -export8021xProfiles AirPort
/myprofileexport.networkconnect yes
Drop the certificate file (as a .pem file) and that profile export into
a temp directory somewhere on your system. I use a folder inside /Library.
Drag those two files into Composer to create a new package.
Add a PostInstall script to the package with these two lines:

security add-trusted-cert -d -r trustRoot -p eap -k
"/Library/Keychains/System.keychain" "/Library/YourFolder/yourcert.pem"

networksetup -import8021xProfiles AirPort
/Library/YourFolder/yourprofile.networkconnect

That's pretty much it. Add that package to Casper Admin and push it at your
wireless users. In my testing it has worked flawlessly. Of course, I've
only tested on 10.6 machines, so I now need to test on some 10.5 machines to
be sure.

Thanks again everyone!

Steve Wood

Director of IT

swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201

T 214.758.6813 | F 214.758.6901 | C 940.312.2475

Jamf Nation Community

802.1x and Certificate Installation