802.1X authentication issues

New Contributor II

Background: Trying to machine authenticate to new Aruba Network SSID

I've seen several discussions on here about 802.1X, but are there any logs that can help troubleshoot why 802.1X connections are failing? I've configured a profile according to https://www.jamf.com/jamf-nation/discussions/8282/802-1x-profiles-help#responseChild44231. It works and I'm getting a X509 certificate to a domain bound mac. However, I cannot for the life of me tweak the profile enough to get it to connect to Aruba wireless.



Make sure to include the Root CA and Intermediate certs in the profile and the make sure to check under the Trust tab that the certs are trusted.

New Contributor II

I've done that. No dice.

Contributor II

You say domain bound Mac, so I'll assume an AD environment.

I've had to make sure that the "servicePrincipalName" attribute in AD for the machine object is set. It needs to be in the format:

host/{$FQDN_of_device} - ie; host/hostname.domain.org

If this attribute is missing, then it won't connect.

Valued Contributor

You will need to configure 3 payloads in a configuration profile (Network, Certificate, SCEP) - you can get the cert direct from the AD too.
Example below covers if SCEP to issue the computer certificate using EAP-TLS protocol and Macs are bound to Active Directory domain.

Make sure you have Root cert chain in System KeyChain.

I think you will need to configure the SCEP to respond dynamically to spinning password. Default setting is 5 attempt per hour for the same password if I remember it correctly….
You also need to expand the enquiry limitation and tell SCEP to use the specific template from the issuing server.

Once the device got the cert the RADIUS does the authentication part to
the network - it checks the AD object details then gives access.

I hope this helps a bit…

Distribution Method
Install Automatically

Computer Level

fill the details appropriate to your requirements and select the SCEP part as you have used on this profile.

upload all the chain


whatever name you want…


Subject Alternative Name Type
DNS Name

Subject Alternative Name Value

Challenge Type
Dynamic-Microsoft CA

URL to SCEP Admin


Retry Delay
0 Seconds

Certificate Expiration Notification Threshold

Key Size
(selected)Use as digital signature
(selected)Use for key encipherment




Valued Contributor

on NETWORK payload make sure use the variable as below:

Username for connection to the network

Valued Contributor

New Contributor II

Sweet, thanks. Are there any logs that are helpful for mudding through this?

We're using an AD request setup. I've added your suggestions outside of SCEP and it's still failing.

New Contributor III

Are you hosing your PKI server on Windows 2012 R2? We had an issue where our WiFi Config Profile would not install, and we could not see any denies in the event log on the PKI server. We had to reach out to MS and they gave us a reg key (can't find it atm, can reach out to my sever team if needed) that allowed the security to be lowered. I guess the default security behavior in 2012 is to ignore all non-encrypted requests. The REG key just lowers it to not ignore them.

Check out this article as well. https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/

New Contributor II

We're actually get certificates just fine. I visited that article many times the past couple days. I finally spun up an older mac OS so I could get that eapoclient working. Finally getting an error!

1/30/18 2:41:15.685 PM eapolclient[1016]: [eaptls_plugin.c:290] eaptls_verify_server(): server certificate not trusted status 6 0

I'm assuming that I need to do something with the trust settings to allow the server certificate...?

New Contributor III

Here is a screen shot of my Network Payload trust settings

New Contributor II

Thanks for your help.

We figured out the issue. Apparently there was a chain of untrusted certs to the Aruba server. We had to add the chain of certs into the network payload and things just started working.

On another note, we used $COMPUTERNAME vs host/$COMPUTERNAME, but I don't understand why. I know the SPN in the active directory has host/$COMPUTERNAME.domain.com on the object's creation, yet $COMPUTERNAME worked. Do you know the difference between these values?

New Contributor
Posted: 1/30/18 at 3:07 AM by Cem on NETWORK payload make sure use the variable as below: Username Username for connection to the network host/$COMPUTERNAME.yourcompany.com

@Cem Ok, I'm not using Jamf and want to deploy all necessary WiFi settings via CP. Is there the method to fill in the variable host/$COMPUTERNAME.yourcompany.com?

Valued Contributor

@maziboss I think host/%ComputerName%.yourcompany.com may work...
ref: help.apple.com/profilemanager/mac