Posted on 08-19-2021 03:05 AM
Hi all,
I've had a search through previous posts about this and I can see the question has been asked before a long time ago (4-5 years) with no resolution. I'm hoping someone can tell me whether this is possible or not.
I want to deploy an SSID using EAP-TLS and have client devices use a machine certificate to authentictae when a user is not signed in, then, when a user does sign in, to have a user certifcate used for authentication.
Ideally the flow would be:
No one signed in - device uses machine cert to authenticate to wi-fi, can receive updates
User A signs in - new authentication occurs using userA cert
User A signs out - new authentication using machine cert again
User B sings in - new authentication occurs using userB cert
etc
This is to support network level access control.
The previous posts i've read have mentioned issues with one profile overriding another or the client device sticking to just one profile.
Has anyone ever got this working? Annoyingly it's straight forward to do on Windows using the "User or Machine auth" setting.
Any help or insights would be appreciated!
Posted on 08-19-2021 08:52 AM
1. Configure the ADCS Connector.
2. Create a Dummy AD Account.
3. Append your ADCS Connector Certificate to the the Dummy AD account.
4. Create a Network Payload with your SSID System Level.
5. Add your ADCS cert, root cert, intermediate cert, and radius cert to the profile.
6. Deploy to all machines.
I have a similar process, but I don't use a Dummny AD account. I use my user's Azure AD identity to authenticate to the radius server.
Posted on 09-27-2022 11:15 AM
Hi bwoods,
We have the same setup as you. Jamf connect, Microsoft NPS Server, ADCS connector that issues computer-based certificate. Computers connect to Wifi when bound to AD but doesn't connect when it is not bound to AD. The log in our RADIUS shows that user doesn't exist.
Can you let me know how did you configure this?
Posted on 08-19-2021 09:18 AM
Thanks for your reply!
Ok interesting, we already have individual computer accounts in AD for each Mac so assuming I don't need to use a dummy account? We've also already got machine certs and user certs on each machine for various other systems, is the AD CS connector essential to make this work?
With your setup, on your radius can you see machine authentications and user authenitcations from the same device, depending on if a user is logged in or not?
Sorry if any of these questions are simple, i'm fairly new to jamf & managing macs.
Posted on 08-19-2021 09:47 AM
@macnac are you still bound to AD or are you using a Jamf Connect workflow?
Posted on 08-19-2021 09:56 AM
Bound to AD
Posted on 08-19-2021 11:20 AM
Okay, then you just need the basic Jamf ADCS configuration. You can refer to some resources online and reach out to Jamf Support for help. It will require some collaboration between you, your network team, and your CA admin team.
Posted on 08-19-2021 11:21 AM
Posted on 12-02-2022 08:43 AM
Hi.
We're looking to achieve that exact workflow that @macnac described in his original post. We don't use the ADCS Connector but do have working SCEP services to request and deploy a cert by utilising the Jamf SCEP Proxy. Are you able to advise if the type of authentication (machine when logged off, user when logged in) is still achievable and potentially suggest the combination of policies or config profiles required?
We have managed to get both machine OR user working, but have not managed to successfully implement both together.
Thanks
Posted on 03-08-2023 09:55 AM
I have almost the exact same workflow. Have you found a solution to this problem?
a month ago
@rypowell1988 or @QS_Logan same. Using Jamf SCEP proxy using Okta as CA. We don't have/use AD or ADCS. There are paid services like step-ca and secureW2 but looking to do this with FreeRadius and struggling to find any docs or guides.