1 ACCEPTED SOLUTION
I wanted to follow up and provide info in this post now that we have solved this issue and are actively authenticating macbooks via clearpass. Hopefully this will be helpful for others as they do similar processes.
On the Jamf side, you have to have all of the previous SCEP server implementation portion working, or whatever you use to get the machine certificates issued and applied to the macbook. Then, you create a new configuration profile for the network.
For EAP-TLS you want to choose "Computer Level" in the level dropdown.
Then, you need to make sure you have the proper certificate payloads in the Certificate payload section. We have 3 of them in ours: The root cert, an intermediate cert, and I'm not sure why but another copy of the root. This portion was done by someone before I did my portion of the integration. I did not scroll and screenshot all 3.
Then you have to set up the network payload. Give it an SSID, and more likely than not, you will want to disable MAC address randomization, depending on your environment. With our environment, leaving mac randomization active would wreak havoc because we have certain portions of the authorization that are based on the mac-address of the macbook. Make sure you choose WPA2 Enterprise, or perhaps WPA3 if you're running that.
.
.
As you get down to the EAP types, select TLS. I don't know that the username field is necessarily required, but, by putting $COMPUTERNAME in the username field, the activity monitor logs on clearpass will show the computer's name in the username field, so it's handy for troubleshooting and log viewing. For identity certificate, you want to choose your SCEP proxy certificate.
.
.
.
After completing the network tab, it is important to click over to the TRUST tab as well. Here you can select under trusted certificates, the root, and the sub cert. One other very important thing (ours would not work without this) is to add under "Trusted Server Certificate Names" the hostname of the clearpass server(s) as they appear in their certificates. Our CN on the clearpass server cert for example, was something like "Clearpass.ourcompany.com" and so you need to add that as a trusted server certificate name here in Jamf. When we did not have this here, all we would get on clearpass in activity monitor was a bunch of timeouts as it tried to authenticate.
.
.
.
.
Save that network payload, and then go to the SCEP payload and make sure your cert stuff is filled in here as well. I didn't do this portion of the integration, but hopefully this will make sense to you when you get there.
.
.
.
.
That's what we needed on the Jamf side. Now for the Clearpass side. Checking your certificate store, you need to make sure your server certificate has the right CN= name that I referenced above in the SCEP/Network payloads. So if your clearpass server cert says the CN=clearpass.yourcompany.com, make sure that's what you have under the trusted servers in the jamf trust tab under the network profile.
.
.
.
.
Now here's one of the big areas where I got stuck, not knowing exactly how this would look for a non-Active Directory configuration with non-Windows machines. When I started my process, in clearpass, I cloned my regular 802.1X EAP-TLS service that we were using to authenticate windows machines using machine certificates, and authorize them as well, and assign their VLANs. The problem is, we were using the same "AUTH METHOD" that we were using for the windows machines: EAP-TLS, except if you open the actual EAP-TLS method setting, we had the "Authorization required" box checked, because you could do that with AD integration for authorization. These macbooks are NOT AD joined, so we had to remove that checkbox, which means, clone your EAP-TLS method in the auth method config area, and create a new one just for doing these machines, but without that checkbox for "authorization required" checked.
.
.
.
.
.
.
Then, once you're back in the authentication session's main page, you can have the EAP-TLS method that you just cloned, chosen in the top section. One issue we faced was that since I cloned this service, we had multiple AD servers chosen on the lower half, as "Authentication Sources", so that a few of our AD servers could authenticate them. Those were causing failures when authenticating macbooks that weren't AD integrated, because when the macbook would attempt connection, it would look in AD for the machine info and not find it, and authentication would fail. I didn't realize I could just leave the whole list of sources empty, and people I had been hearing from on the aruba forum were saying basically that "you just need the server cert to authenticate it", and that didn't really explain it, but it did get me to consider removing them and then it indeed worked. I had been wondering what other source I could create/use, but it turns out you don't need one.
.
.
.
So it was a learning curve, not having AD to deal with, and not really understanding where all these various certificates get placed, and what you're authenticating against. It's actually much simpler than I had originally thought, but without a good overview to read, it leaves you banging your head on the whole conceptualization of this process.
At present, we aren't using the jamf connector in clearpass, so we do trigger some of the service properties on specific things, to provide a little more security. For instance, the macbooks need to be in a local mac address list in clearpass, which is used to determine which service to use. We did that so that the windows machines wouldn't get hung up trying to authenticate using the macbook/jamf service. In the authorization part of the clearpass service service config, we have some specific values that the machine must have populated in it's authentication request, in order for it to be allowed on the network. For instance, if you don't have the proper AV software installed by the proper vendor, configured with a few settings we use at our company, you don't get on the network. Additionally, it checks to make sure there are no viruses currently being detected by AV. Things like that can make it so that no machine that isn't owned by your company, and configured as per your org's requirements, won't get on even if they found a way to get a cert installed.
I have a feeling we can even do a bit more, once we get the jamf connector installed, at a later date. For now, it feels great to have this working, and Jamf has helped secure our org better than using PEAP would, where we would have to worry about man-in-the-middle certificate attacks and username/password compromises. Hope this helps anyone else doing this type of integration.
Hi @RVTim ,
We have implemented WPA/WPA2 Enterprise using ClearPass and Jamf. The required certificate is a CPPM certificate, which needs to be included in the configuration profile.
To create the Wi-Fi Configuration Profile:
- Add a Certificate payload and upload the CPPM certificate.
- Add a Network payload and configure the following settings:
- Protocol: Set to PEAP.
- Authentication: Enter the username and password.
- Identity Certificate: Select the CPPM certificate.
- Under Trust settings:
- Enter the username and password.
- Select the Identity Certificate (CPPM certificate).
- Set Outer Identity to PEAP.
- Add Trusted Certificates and enable Allow Trust Exceptions if needed.
If your MacBook is already connected to the Wi-Fi network, you can find the CPPM certificate in the Keychain Access app. You can export and save the certificate, then upload it to Jamf for deployment.
I wanted to follow up and provide info in this post now that we have solved this issue and are actively authenticating macbooks via clearpass. Hopefully this will be helpful for others as they do similar processes.
On the Jamf side, you have to have all of the previous SCEP server implementation portion working, or whatever you use to get the machine certificates issued and applied to the macbook. Then, you create a new configuration profile for the network.
For EAP-TLS you want to choose "Computer Level" in the level dropdown.
Then, you need to make sure you have the proper certificate payloads in the Certificate payload section. We have 3 of them in ours: The root cert, an intermediate cert, and I'm not sure why but another copy of the root. This portion was done by someone before I did my portion of the integration. I did not scroll and screenshot all 3.
Then you have to set up the network payload. Give it an SSID, and more likely than not, you will want to disable MAC address randomization, depending on your environment. With our environment, leaving mac randomization active would wreak havoc because we have certain portions of the authorization that are based on the mac-address of the macbook. Make sure you choose WPA2 Enterprise, or perhaps WPA3 if you're running that.
.
.
As you get down to the EAP types, select TLS. I don't know that the username field is necessarily required, but, by putting $COMPUTERNAME in the username field, the activity monitor logs on clearpass will show the computer's name in the username field, so it's handy for troubleshooting and log viewing. For identity certificate, you want to choose your SCEP proxy certificate.
.
.
.
After completing the network tab, it is important to click over to the TRUST tab as well. Here you can select under trusted certificates, the root, and the sub cert. One other very important thing (ours would not work without this) is to add under "Trusted Server Certificate Names" the hostname of the clearpass server(s) as they appear in their certificates. Our CN on the clearpass server cert for example, was something like "Clearpass.ourcompany.com" and so you need to add that as a trusted server certificate name here in Jamf. When we did not have this here, all we would get on clearpass in activity monitor was a bunch of timeouts as it tried to authenticate.
.
.
.
.
Save that network payload, and then go to the SCEP payload and make sure your cert stuff is filled in here as well. I didn't do this portion of the integration, but hopefully this will make sense to you when you get there.
.
.
.
.
That's what we needed on the Jamf side. Now for the Clearpass side. Checking your certificate store, you need to make sure your server certificate has the right CN= name that I referenced above in the SCEP/Network payloads. So if your clearpass server cert says the CN=clearpass.yourcompany.com, make sure that's what you have under the trusted servers in the jamf trust tab under the network profile.
.
.
.
.
Now here's one of the big areas where I got stuck, not knowing exactly how this would look for a non-Active Directory configuration with non-Windows machines. When I started my process, in clearpass, I cloned my regular 802.1X EAP-TLS service that we were using to authenticate windows machines using machine certificates, and authorize them as well, and assign their VLANs. The problem is, we were using the same "AUTH METHOD" that we were using for the windows machines: EAP-TLS, except if you open the actual EAP-TLS method setting, we had the "Authorization required" box checked, because you could do that with AD integration for authorization. These macbooks are NOT AD joined, so we had to remove that checkbox, which means, clone your EAP-TLS method in the auth method config area, and create a new one just for doing these machines, but without that checkbox for "authorization required" checked.
.
.
.
.
.
.
Then, once you're back in the authentication session's main page, you can have the EAP-TLS method that you just cloned, chosen in the top section. One issue we faced was that since I cloned this service, we had multiple AD servers chosen on the lower half, as "Authentication Sources", so that a few of our AD servers could authenticate them. Those were causing failures when authenticating macbooks that weren't AD integrated, because when the macbook would attempt connection, it would look in AD for the machine info and not find it, and authentication would fail. I didn't realize I could just leave the whole list of sources empty, and people I had been hearing from on the aruba forum were saying basically that "you just need the server cert to authenticate it", and that didn't really explain it, but it did get me to consider removing them and then it indeed worked. I had been wondering what other source I could create/use, but it turns out you don't need one.
.
.
.
So it was a learning curve, not having AD to deal with, and not really understanding where all these various certificates get placed, and what you're authenticating against. It's actually much simpler than I had originally thought, but without a good overview to read, it leaves you banging your head on the whole conceptualization of this process.
At present, we aren't using the jamf connector in clearpass, so we do trigger some of the service properties on specific things, to provide a little more security. For instance, the macbooks need to be in a local mac address list in clearpass, which is used to determine which service to use. We did that so that the windows machines wouldn't get hung up trying to authenticate using the macbook/jamf service. In the authorization part of the clearpass service service config, we have some specific values that the machine must have populated in it's authentication request, in order for it to be allowed on the network. For instance, if you don't have the proper AV software installed by the proper vendor, configured with a few settings we use at our company, you don't get on the network. Additionally, it checks to make sure there are no viruses currently being detected by AV. Things like that can make it so that no machine that isn't owned by your company, and configured as per your org's requirements, won't get on even if they found a way to get a cert installed.
I have a feeling we can even do a bit more, once we get the jamf connector installed, at a later date. For now, it feels great to have this working, and Jamf has helped secure our org better than using PEAP would, where we would have to worry about man-in-the-middle certificate attacks and username/password compromises. Hope this helps anyone else doing this type of integration.
