802.1x config script questions

Question

Hello,

So we are configuring ISE in our environment and we cant use scep to automate it because security wont let us open the ports down to the internal scep server. so i just setup the config profile and added our ISE certs etc... the issue is the user are prompted the first time to choose the cert it is always the second cert in the list and it only happens the one time they choose it and they are good going forward... my question is there a way to have the user not have to choose the cert maybe a script that we can run after the config profile is pushed down ?

spalladino · Answer

Here is the script i tried to make work but no luck it doesnt choose the cert automatically any thoughts on what might be wrong ?

!/usr/bin/env bash

#### This script must be run on user login as all identity preferences are put into the user's keychain

#### We also must wait for the user environment to be stood up before we attempt to insert the certificate into the keychain

Wait for user environment to be stood up

CurrentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')

DockStatus=$(pgrep -x Dock)

echo -s "Waiting for User environment to be Stood Up"

while [[ "$DockStatus" == "" ]]
do
echo "User Environment not Loaded yet, Waiting"
sleep 5
DockStatus=$(pgrep -x Dock)
done

sleep 5

echo "$CurrentUser environment loaded, continuing with 802.1x identity creation"

We need to gather the CN of the Jamf device certificate in order to create an identity preference for the ALNY JAMF SSID

The below command creates a variable with that Common Name

JamfCertificateCommonName=$(sudo -u "$CurrentUser" security find-identity -v | grep " | awk '{print $3}' | sed 's/"//g')

Next, we create an identity preference in the current user's keychain to use Jamf's device certificate for EAP-TLS authentication to the SSID

sudo -u "$CurrentUser" security set-identity-preference -c "$JamfCertificateCommonName" -s "com.apple.network.eap.user.identity.default" /Library/Keychains/System.keychain

sudo -u "$CurrentUser" security set-identity-preference -c "$JamfCertificateCommonName" -s "com.apple.network.eap.user.identity.wlan.ssid."SSID"" /Library/Keychains/System.keychain

!/usr/bin/env bash

#### This script must be run on user login as all identity preferences are put into the user's keychain

#### We also must wait for the user environment to be stood up before we attempt to insert the certificate into the keychain

Wait for user environment to be stood up

We need to gather the CN of the Jamf device certificate in order to create an identity preference for the ALNY JAMF SSID

The below command creates a variable with that Common Name

Next, we create an identity preference in the current user's keychain to use Jamf's device certificate for EAP-TLS authentication to the SSID

sudo -u "$CurrentUser" security set-identity-preference -c "$JamfCertificateCommonName" -s "com.apple.network.eap.user.identity.wlan.ssid."SSID"" /Library/Keychains/System.keychain

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded