- Jamf Nation Community
- Products
- Jamf Pro
- 802.1x EAP-TLS Configuration Profile for Enterpris...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
802.1x EAP-TLS Configuration Profile for Enterprise WiFi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-10-2017 06:58 AM
Hi everyone,
I am having some problems on Configuration Profiles for 802.1x EAP-TLS. I would really appreciate some suggestions.
Currently, we are using two Configuration Profiles for the same SSID.
CP1: A "Computer level" profile that obtains a computer certificate from SCEP, obviously the computer certificate is stored in the system keychain.
CP2: A "User level" profile that obtains a user certificate from SCEP, which is stored in the login keychain.
Before a user logs in for the first time, CP1 is used to connect to WiFi. After a user logs in, CP2 installed and authenticate again using user certificate, which changes the IP address to another vlan according to user group in AD. The problem is after reboot, there is no more WiFi connection at login window. Seems CP2 overwrites CP1 so at login window, the computer is trying to apply CP2 which uses user certificate in the login keychain that is not available before user login.
I have tried the following but no luck:
1. tick the box "Use as a Login Window configuration" for CP1 (this option is not available for CP2) but it doesn't help.
2. I have also tried to modify CP2 to store the user certificate in system keychain, but whenever a user (say, IT admin) logs into a computer, his/her user certificate gets installed in system keychain, then other users in that computer can use that IT admin user's certificate to access our IT network - not good.
3. I have also tried using two different SSIDs for CP1 and CP2, but Mac seems to stick to the WiFi available on login screen (i.e., CP1), and does not switch to the SSID specified in CP2 after user logs in...
I believe I must missed something.. Really appreciate some suggestions.
Many thanks.
Cheers,
Jeffrey
Labels:
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2017 12:02 PM
:bump: for what it's worth... I am experiencing a similar issue where CP1 appears to be forgotten once CP2 user config is used. However, we use ttls along with root certs for both cp1 and cp2.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2017 10:04 PM
@bytea and @rickwhois
Im pretty sure there is a document somewhere stating Macs dont so both Machine and User auth. I struggled with this for quite a while. I tried looking for the documents but from my previous posts I found these two answers both conflicting:
"It’s possible to use System Mode and Login Window Mode together."
"If you have configured a System profile in your location, do not add a User or Login Window profile to that same location."
both of these from Apple documentation.....
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-14-2017 09:02 AM
I have the Apple whitepaper that @BOBW is talking about, found my old google link or I can post a direct link to the pdf here. I have been using system mode and login window mode profile since last year (WPA2 Ent,EAP-TLS,PEAP), as per @BOBW 's post it appears there may be a problem with adding additional profiles "If you have configured a System profile in your location, do not add a User or Login Window profile to that same location".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-14-2017 03:24 PM
Great discussion!
I think it is true that "System Mode" can be used in Login Window because in "System Mode" the configuration is stored in system keychain. On the other hand, seems we cannot use both System Profile and User Profile in the same location for the same SSID, right? If anyone has success in doing this please let us know. Much appreciated!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-15-2022 09:03 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-12-2023 06:57 AM
Hi Everyone,
I solved the 802.1x problem. You can contact me here to find out how to solve the problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2023 06:44 AM
Why not just post it here for everyone to benefit?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2023 07:12 AM
Hi,
Actually, I made the necessary explanations under a similar discussion title. I didn't want to write here again. Let me share its link with you.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2023 07:14 AM
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2023 07:29 AM
Hi,
If you switch to Aruba Central Cloud, this solution will not work for you. Because in cloud architecture, there is no option to download a profile to the system. I requested a feature request for this. I hope they make this happen.
Reply
