Help

802.1X Authentication Issue

ruihere
New Contributor II

Posted on ‎10-26-2017 11:11 PM

Hi, I am trying to setup 802.1X authentication for our ethernet and wifi network. with JSS configuration profiles, I setup Certificate(RootCA), AD and Network. I was able to get the certificate from our Root CA. (the cert it gets is like hostname.ad.corp. , the FQDN, I asked my enterprise team, they said the cert must to have FQDN, but he can add UPN as well). however it cannot connect with the correct 802.1X profile.

On wired network, I have to manually choose the 802.1X profile from wifi, and then type the machine name + $ to get authenticated. On wifi, I just cannot get authenticated, is said authentication server is not responsing.

On the network payload, username to authenticate the network, I tried using $ComputerName, %ComputerName%$, and $ComputerName$. But none working. not sure if that is the issue?

I tried reading the eapclient log, seems not much help.

I searched the silimiar topics on JSS and internet, and then tried using Apple Profile Manager, however when I manually import the mobileconfig file, it shows the dialogue that my cert authority is asking for username and password ?

Thanks!

0 Kudos
Reply
12 REPLIES 12

PhillyPhoto
Valued Contributor

Posted on ‎10-27-2017 05:43 AM

For our network profile, I created the profile in the profile manager on Server, then manually signed the profile in Terminal before uploading it to our JSS. The JSS alters the profile if you upload it unsigned and corrupts some of the configuration.

I have since moved to a PKG install for easier AD certificate renewal when their machine cert expires. It doesn't require scoping issues for automatic installs and we were having issues with profiles being randomly removed from machines for some reason. So I still use the same signed profile from above, but just deliver it via PKG. That also lets me remove old certificates at the same time.

Reply

ruihere
New Contributor II

Posted on ‎10-27-2017 06:38 AM

I also tried using profile manager, but when I tried to add the profile, it asked for my root cert authority username/password to enroll?

0 Kudos
Reply

PhillyPhoto
Valued Contributor

Posted on ‎10-27-2017 08:47 AM

This is my workflow in Profile Manager:

  1. Go to Profile > Device Groups > Click + to create a new one, and name it > Click Save db644969a1f640138809629d102dad96
  2. Go to General Settings and give it a name 6c06a85b53154c3192d421400813f036
  3. Configure the AD Certificate server 7ee0b917d0bd4d8d95292fe68d6519f2 5828f779c0b944a5bc480b7f4dce9ff8
  4. Add our Secure CA cert 78335da64c4e499a933ce5d0c48dc55c
  5. Configure the network settings bebf3d136ad5401e9803a6b67d8bf11c 3c1811e83c3c4a19847a49974395fff9 763a6bd6d14f4f55b2e73f83c81bd929 1b61dc6d9f3445dfae0a931fd3078822 2a0a9eb0345b45c1a7dba049ef1ec24d
  6. Configure VPN 4d504d8743884ed59a9ea5e6d3accb6f d43f1979422245308cb7530bcb896e79
  7. Click OK > Click Save > Click Download
  8. Sign that profile in terminal
Reply

ruihere
New Contributor II

Posted on ‎10-30-2017 01:51 AM

Thanks, @PhillyPhoto , I realized that my cert url is http://FQDN, but yours is https://FQDN/cersrv.

After changing that, I was able to let wifi profile working! yeah!!! thanks :)

however the ethernet still asking me for system username/password for "Enter settings for the enterprise network "Wired 802.1X"e8fdeb8d8e184c5fa39a431279c10ad6

0 Kudos
Reply

bjharper
New Contributor II

Posted on ‎10-30-2017 10:41 AM

@ruihere When building the config profile in Jamf, do you have the box checked to use Directory Authentication under the Network payload settings? If your machines are bound to AD, this should use computer creds to authenticate rather than prompting for user creds. c1624abc71db4219adeee71ba6114b97

0 Kudos
Reply

ruihere
New Contributor II

Posted on ‎10-31-2017 02:42 AM

@bjharper I was using Apple Profile Manger to create the profile, I use TLS, so no choice to "Use Directory Authentication". however if I choose PEAP or other options, I can see using this option.

0 Kudos
Reply

dstranathan
Valued Contributor II

Posted on ‎11-02-2017 07:09 AM

Couple quetions:

  1. In your AD Certificate payload (Step 3), is the CA your Root CA or an Intermediary CA?
  2. Can this profile (and related payloads) be built 100% in the JSS (i.e.; not macOS Server)?

Thank you

0 Kudos
Reply

AHolmdahl
New Contributor III

Posted on ‎01-09-2018 07:04 AM

@PhillyPhoto I'm also getting the same "ethernet still asking me for system username/password" dialog.
I am also creating the profile with Apple Profile Manager but I always get the the same "ethernet still asking me for system username/password" dialog... I am about to go crazy... what possible thing/checkbox/information have I missed?
I´d be super grateful for any help...

@dstranathan 2. as phillyphoto mentioned - Apparently the only way to get the 802.1x wired profile to work is to use Apples Profile Manager, download the profile, sign it and upload it to the JSS.

0 Kudos
Reply

PhillyPhoto
Valued Contributor

Posted on ‎01-09-2018 07:32 AM

@AHolmdahl are you using anything like "host/%ComputerName%.domain.com" under TLS like in my screenshot?

bebf3d136ad5401e9803a6b67d8bf11c

0 Kudos
Reply

DSI
New Contributor II

Posted on ‎03-21-2018 08:56 AM

Try this :
c01578e356114886bfa98abeab986b85

0 Kudos
Reply

cleverleys
Contributor

Posted on ‎03-21-2018 03:12 PM

I have got this working this week using Jamf Pro. @bjharper is correct, you need to use directory authentication and not enable the username & password option. The client AD object is what authenticates through radius for us - not users.

0 Kudos
Reply

cleverleys
Contributor

Posted on ‎03-21-2018 03:12 PM

498b1dbd06244ef08256daf668d3ec3b
3353c180f9d341738c9a62f96d7f1508

0 Kudos
Reply