802.1x/EAP-TLS machine AND user auth

macnac
New Contributor

Hi all,

I've had a search through previous posts about this and I can see the question has been asked before a long time ago (4-5 years) with no resolution. I'm hoping someone can tell me whether this is possible or not.

I want to deploy an SSID using EAP-TLS and have client devices use a machine certificate to authentictae when a user is not signed in, then, when a user does sign in, to have a user certifcate used for authentication.

Ideally the flow would be:

No one signed in - device uses machine cert to authenticate to wi-fi, can receive updates

User A signs in - new authentication occurs using userA cert

User A signs out - new authentication using machine cert again

User B sings in - new authentication occurs using userB cert

etc

This is to support network level access control.

The previous posts i've read have mentioned issues with one profile overriding another or the client device sticking to just one profile.

Has anyone ever got this working? Annoyingly it's straight forward to do on Windows using the "User or Machine auth" setting.

Any help or insights would be appreciated!

10 REPLIES 10

bwoods
Valued Contributor

1. Configure the ADCS Connector.

2. Create a Dummy AD Account.

3. Append your ADCS Connector Certificate to the the Dummy AD account.

4. Create a Network Payload with your SSID System Level.

5. Add your ADCS cert, root cert, intermediate cert, and radius cert to the profile.

6. Deploy to all machines.

I have a similar process, but I don't use a Dummny AD account. I use my user's Azure AD identity to authenticate to the radius server.

mzalmai
New Contributor II

Hi bwoods,

We have the same setup as you. Jamf connect, Microsoft NPS Server, ADCS connector that issues computer-based certificate. Computers connect to Wifi when bound to AD but doesn't connect when it is not bound to AD. The log in our RADIUS shows that user doesn't exist.

 

Can you let me know how did you configure this?

macnac
New Contributor

Thanks for your reply!

Ok interesting, we already have individual computer accounts in AD for each Mac so assuming I don't need to use a dummy account?  We've also already got machine certs and user certs on each machine for various other systems, is the AD CS connector essential to make this work?

With your setup, on your radius can you see machine authentications and user authenitcations from the same device, depending on if a user is logged in or not?

Sorry if any of these questions are simple, i'm fairly new to jamf & managing macs.

bwoods
Valued Contributor

@macnac are you still bound to AD or are you using a Jamf Connect workflow?

 

macnac
New Contributor

Bound to AD

bwoods
Valued Contributor

Okay, then you just need the basic Jamf ADCS configuration. You can refer to some resources online and reach out to Jamf Support for help. It will require some collaboration between you, your network team, and your CA admin team. 

rypowell1988
New Contributor

Hi.
We're looking to achieve that exact workflow that @macnac described in his original post.  We don't use the ADCS Connector but do have working SCEP services to request and deploy a cert by utilising the Jamf SCEP Proxy.  Are you able to advise if the type of authentication (machine when logged off, user when logged in) is still achievable and potentially suggest the combination of policies or config profiles required?

We have managed to get both machine OR user working, but have not managed to successfully implement both together.

Thanks

I have almost the exact same workflow. Have you found a solution to this problem?

wlew
New Contributor II

@rypowell1988 or @QS_Logan same. Using Jamf SCEP proxy using Okta as CA. We don't have/use AD or ADCS. There are paid services like step-ca and secureW2 but looking to do this with FreeRadius and struggling to find any docs or guides.