Jamf Nation Community

I've done that. No dice.

You say domain bound Mac, so I'll assume an AD environment.

I've had to make sure that the "servicePrincipalName" attribute in AD for the machine object is set. It needs to be in the format:

host/{$FQDN_of_device} - ie; host/hostname.domain.org

If this attribute is missing, then it won't connect.

You will need to configure 3 payloads in a configuration profile (Network, Certificate, SCEP) - you can get the cert direct from the AD too.
Example below covers if SCEP to issue the computer certificate using EAP-TLS protocol and Macs are bound to Active Directory domain.

Make sure you have Root cert chain in System KeyChain.

I think you will need to configure the SCEP to respond dynamically to spinning password. Default setting is 5 attempt per hour for the same password if I remember it correctly….
You also need to expand the enquiry limitation and tell SCEP to use the specific template from the issuing server.

Once the device got the cert the RADIUS does the authentication part to
the network - it checks the AD object details then gives access.

I hope this helps a bit…

~~General
Distribution Method
Install Automatically

Level
Computer Level

NETWORK
fill the details appropriate to your requirements and select the SCEP part as you have used on this profile.

CERTIFICATE
upload all the chain

SCEP URL
http://scepserver.yourcompany.com/certsrv/mscep/mscep.dll/

Name
whatever name you want…

Subject
CN=$COMPUTERNAME.yourcompany.com

Subject Alternative Name Type
DNS Name

Subject Alternative Name Value
host/$COMPUTERNAME.yourcompany.com

Challenge Type
Dynamic-Microsoft CA

URL to SCEP Admin
http://scepserver.yourcompany.com/certsrv/mscep_admin/

Retries
0

Retry Delay
0 Seconds

Certificate Expiration Notification Threshold
14

Key Size
1024
(selected)Use as digital signature
(selected)Use for key encipherment

Fingerprint

#####

~~

on NETWORK payload make sure use the variable as below:

Username
Username for connection to the network
host/$COMPUTERNAME.yourcompany.com

Jamf Pro varibales list…

Sweet, thanks. Are there any logs that are helpful for mudding through this?

We're using an AD request setup. I've added your suggestions outside of SCEP and it's still failing.

Are you hosing your PKI server on Windows 2012 R2? We had an issue where our WiFi Config Profile would not install, and we could not see any denies in the event log on the PKI server. We had to reach out to MS and they gave us a reg key (can't find it atm, can reach out to my sever team if needed) that allowed the security to be lowered. I guess the default security behavior in 2012 is to ignore all non-encrypted requests. The REG key just lowers it to not ignore them.

Check out this article as well. https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/

We're actually get certificates just fine. I visited that article many times the past couple days. I finally spun up an older mac OS so I could get that eapoclient working. Finally getting an error!

1/30/18 2:41:15.685 PM eapolclient[1016]: [eaptls_plugin.c:290] eaptls_verify_server(): server certificate not trusted status 6 0

I'm assuming that I need to do something with the trust settings to allow the server certificate...?

Here is a screen shot of my Network Payload trust settings

Thanks for your help.

We figured out the issue. Apparently there was a chain of untrusted certs to the Aruba server. We had to add the chain of certs into the network payload and things just started working.

On another note, we used $COMPUTERNAME vs host/$COMPUTERNAME, but I don't understand why. I know the SPN in the active directory has host/$COMPUTERNAME.domain.com on the object's creation, yet $COMPUTERNAME worked. Do you know the difference between these values?

Posted: 1/30/18 at 3:07 AM by Cem on NETWORK payload make sure use the variable as below: Username Username for connection to the network host/$COMPUTERNAME.yourcompany.com

@Cem Ok, I'm not using Jamf and want to deploy all necessary WiFi settings via CP. Is there the method to fill in the variable host/$COMPUTERNAME.yourcompany.com?

@maziboss I think host/%ComputerName%.yourcompany.com may work...
ref: help.apple.com/profilemanager/mac