I've had a search through previous posts about this and I can see the question has been asked before a long time ago (4-5 years) with no resolution. I'm hoping someone can tell me whether this is possible or not.
I want to deploy an SSID using EAP-TLS and have client devices use a machine certificate to authentictae when a user is not signed in, then, when a user does sign in, to have a user certifcate used for authentication.
Ideally the flow would be:
No one signed in - device uses machine cert to authenticate to wi-fi, can receive updates
User A signs in - new authentication occurs using userA cert
User A signs out - new authentication using machine cert again
User B sings in - new authentication occurs using userB cert
This is to support network level access control.
The previous posts i've read have mentioned issues with one profile overriding another or the client device sticking to just one profile.
Has anyone ever got this working? Annoyingly it's straight forward to do on Windows using the "User or Machine auth" setting.
Any help or insights would be appreciated!
1. Configure the ADCS Connector.
2. Create a Dummy AD Account.
3. Append your ADCS Connector Certificate to the the Dummy AD account.
4. Create a Network Payload with your SSID System Level.
5. Add your ADCS cert, root cert, intermediate cert, and radius cert to the profile.
6. Deploy to all machines.
I have a similar process, but I don't use a Dummny AD account. I use my user's Azure AD identity to authenticate to the radius server.
Thanks for your reply!
Ok interesting, we already have individual computer accounts in AD for each Mac so assuming I don't need to use a dummy account? We've also already got machine certs and user certs on each machine for various other systems, is the AD CS connector essential to make this work?
With your setup, on your radius can you see machine authentications and user authenitcations from the same device, depending on if a user is logged in or not?
Sorry if any of these questions are simple, i'm fairly new to jamf & managing macs.