802.1x EAP-TLS Configuration Profile for Enterprise WiFi

bytea
New Contributor

Hi everyone,

I am having some problems on Configuration Profiles for 802.1x EAP-TLS. I would really appreciate some suggestions.

Currently, we are using two Configuration Profiles for the same SSID.
CP1: A "Computer level" profile that obtains a computer certificate from SCEP, obviously the computer certificate is stored in the system keychain.
CP2: A "User level" profile that obtains a user certificate from SCEP, which is stored in the login keychain.

Before a user logs in for the first time, CP1 is used to connect to WiFi. After a user logs in, CP2 installed and authenticate again using user certificate, which changes the IP address to another vlan according to user group in AD. The problem is after reboot, there is no more WiFi connection at login window. Seems CP2 overwrites CP1 so at login window, the computer is trying to apply CP2 which uses user certificate in the login keychain that is not available before user login.

I have tried the following but no luck:
1. tick the box "Use as a Login Window configuration" for CP1 (this option is not available for CP2) but it doesn't help.
2. I have also tried to modify CP2 to store the user certificate in system keychain, but whenever a user (say, IT admin) logs into a computer, his/her user certificate gets installed in system keychain, then other users in that computer can use that IT admin user's certificate to access our IT network - not good.
3. I have also tried using two different SSIDs for CP1 and CP2, but Mac seems to stick to the WiFi available on login screen (i.e., CP1), and does not switch to the SSID specified in CP2 after user logs in...

I believe I must missed something.. Really appreciate some suggestions.

Many thanks.

Cheers,
Jeffrey

10 REPLIES 10

rickwhois
Contributor

:bump: for what it's worth... I am experiencing a similar issue where CP1 appears to be forgotten once CP2 user config is used. However, we use ttls along with root certs for both cp1 and cp2.

BOBW
Contributor II

@bytea and @rickwhois

Im pretty sure there is a document somewhere stating Macs dont so both Machine and User auth. I struggled with this for quite a while. I tried looking for the documents but from my previous posts I found these two answers both conflicting:
"It’s possible to use System Mode and Login Window Mode together."
"If you have configured a System profile in your location, do not add a User or Login Window profile to that same location."

both of these from Apple documentation.....

Nix4Life
Valued Contributor

I have the Apple whitepaper that @BOBW is talking about, found my old google link or I can post a direct link to the pdf here. I have been using system mode and login window mode profile since last year (WPA2 Ent,EAP-TLS,PEAP), as per @BOBW 's post it appears there may be a problem with adding additional profiles "If you have configured a System profile in your location, do not add a User or Login Window profile to that same location".

bytea
New Contributor

@BOBW and @LSinNY

Great discussion!

I think it is true that "System Mode" can be used in Login Window because in "System Mode" the configuration is stored in system keychain. On the other hand, seems we cannot use both System Profile and User Profile in the same location for the same SSID, right? If anyone has success in doing this please let us know. Much appreciated!

rypowell1988
New Contributor

Hi @bytea / @BOBW 

We're looking at achieving the same setup that @bytea described in their original post.  Just wondering if you've had any success in this following your original messages?

 

Thanks

husnudagidir
Contributor

Hi Everyone,

I solved the 802.1x problem. You can contact me here to find out how to solve the problem.

Why not just post it here for everyone to benefit?

hdagidir
New Contributor III

Hi,

Actually, I made the necessary explanations under a similar discussion title. I didn't want to write here again. Let me share its link with you.

hdagidir
New Contributor III

Hi,

 

If you switch to Aruba Central Cloud, this solution will not work for you. Because in cloud architecture, there is no option to download a profile to the system. I requested a feature request for this. I hope they make this happen.