802.1X Authentication Issue

ruihere
New Contributor II

Hi, I am trying to setup 802.1X authentication for our ethernet and wifi network. with JSS configuration profiles, I setup Certificate(RootCA), AD and Network. I was able to get the certificate from our Root CA. (the cert it gets is like hostname.ad.corp. , the FQDN, I asked my enterprise team, they said the cert must to have FQDN, but he can add UPN as well). however it cannot connect with the correct 802.1X profile.

On wired network, I have to manually choose the 802.1X profile from wifi, and then type the machine name + $ to get authenticated. On wifi, I just cannot get authenticated, is said authentication server is not responsing.

On the network payload, username to authenticate the network, I tried using $ComputerName, %ComputerName%$, and $ComputerName$. But none working. not sure if that is the issue?

I tried reading the eapclient log, seems not much help.

I searched the silimiar topics on JSS and internet, and then tried using Apple Profile Manager, however when I manually import the mobileconfig file, it shows the dialogue that my cert authority is asking for username and password ?

Thanks!

12 REPLIES 12

PhillyPhoto
Valued Contributor

For our network profile, I created the profile in the profile manager on Server, then manually signed the profile in Terminal before uploading it to our JSS. The JSS alters the profile if you upload it unsigned and corrupts some of the configuration.

I have since moved to a PKG install for easier AD certificate renewal when their machine cert expires. It doesn't require scoping issues for automatic installs and we were having issues with profiles being randomly removed from machines for some reason. So I still use the same signed profile from above, but just deliver it via PKG. That also lets me remove old certificates at the same time.

ruihere
New Contributor II

I also tried using profile manager, but when I tried to add the profile, it asked for my root cert authority username/password to enroll?

PhillyPhoto
Valued Contributor

This is my workflow in Profile Manager:

  1. Go to Profile > Device Groups > Click + to create a new one, and name it > Click Save db644969a1f640138809629d102dad96
  2. Go to General Settings and give it a name 6c06a85b53154c3192d421400813f036
  3. Configure the AD Certificate server 7ee0b917d0bd4d8d95292fe68d6519f2 5828f779c0b944a5bc480b7f4dce9ff8
  4. Add our Secure CA cert 78335da64c4e499a933ce5d0c48dc55c
  5. Configure the network settings bebf3d136ad5401e9803a6b67d8bf11c 3c1811e83c3c4a19847a49974395fff9 763a6bd6d14f4f55b2e73f83c81bd929 1b61dc6d9f3445dfae0a931fd3078822 2a0a9eb0345b45c1a7dba049ef1ec24d
  6. Configure VPN 4d504d8743884ed59a9ea5e6d3accb6f d43f1979422245308cb7530bcb896e79
  7. Click OK > Click Save > Click Download
  8. Sign that profile in terminal

ruihere
New Contributor II

Thanks, @PhillyPhoto , I realized that my cert url is http://FQDN, but yours is https://FQDN/cersrv.

After changing that, I was able to let wifi profile working! yeah!!! thanks :)

however the ethernet still asking me for system username/password for "Enter settings for the enterprise network "Wired 802.1X"e8fdeb8d8e184c5fa39a431279c10ad6

bjharper
New Contributor II

@ruihere When building the config profile in Jamf, do you have the box checked to use Directory Authentication under the Network payload settings? If your machines are bound to AD, this should use computer creds to authenticate rather than prompting for user creds. c1624abc71db4219adeee71ba6114b97

ruihere
New Contributor II

@bjharper I was using Apple Profile Manger to create the profile, I use TLS, so no choice to "Use Directory Authentication". however if I choose PEAP or other options, I can see using this option.

dstranathan
Valued Contributor II

Couple quetions:

  1. In your AD Certificate payload (Step 3), is the CA your Root CA or an Intermediary CA?
  2. Can this profile (and related payloads) be built 100% in the JSS (i.e.; not macOS Server)?

Thank you

AHolmdahl
New Contributor III

@PhillyPhoto I'm also getting the same "ethernet still asking me for system username/password" dialog.
I am also creating the profile with Apple Profile Manager but I always get the the same "ethernet still asking me for system username/password" dialog... I am about to go crazy... what possible thing/checkbox/information have I missed?
I´d be super grateful for any help...

@dstranathan 2. as phillyphoto mentioned - Apparently the only way to get the 802.1x wired profile to work is to use Apples Profile Manager, download the profile, sign it and upload it to the JSS.

PhillyPhoto
Valued Contributor

@AHolmdahl are you using anything like "host/%ComputerName%.domain.com" under TLS like in my screenshot?

bebf3d136ad5401e9803a6b67d8bf11c

DSI
New Contributor II

Try this :
c01578e356114886bfa98abeab986b85

cleverleys
Contributor

I have got this working this week using Jamf Pro. @bjharper is correct, you need to use directory authentication and not enable the username & password option. The client AD object is what authenticates through radius for us - not users.

cleverleys
Contributor

498b1dbd06244ef08256daf668d3ec3b
3353c180f9d341738c9a62f96d7f1508