802.1x/EAP-TLS machine AND user auth

New Contributor

Hi all,

I've had a search through previous posts about this and I can see the question has been asked before a long time ago (4-5 years) with no resolution. I'm hoping someone can tell me whether this is possible or not.

I want to deploy an SSID using EAP-TLS and have client devices use a machine certificate to authentictae when a user is not signed in, then, when a user does sign in, to have a user certifcate used for authentication.

Ideally the flow would be:

No one signed in - device uses machine cert to authenticate to wi-fi, can receive updates

User A signs in - new authentication occurs using userA cert

User A signs out - new authentication using machine cert again

User B sings in - new authentication occurs using userB cert


This is to support network level access control.

The previous posts i've read have mentioned issues with one profile overriding another or the client device sticking to just one profile.

Has anyone ever got this working? Annoyingly it's straight forward to do on Windows using the "User or Machine auth" setting.

Any help or insights would be appreciated!


Contributor III

1. Configure the ADCS Connector.

2. Create a Dummy AD Account.

3. Append your ADCS Connector Certificate to the the Dummy AD account.

4. Create a Network Payload with your SSID System Level.

5. Add your ADCS cert, root cert, intermediate cert, and radius cert to the profile.

6. Deploy to all machines.

I have a similar process, but I don't use a Dummny AD account. I use my user's Azure AD identity to authenticate to the radius server.

New Contributor

Thanks for your reply!

Ok interesting, we already have individual computer accounts in AD for each Mac so assuming I don't need to use a dummy account?  We've also already got machine certs and user certs on each machine for various other systems, is the AD CS connector essential to make this work?

With your setup, on your radius can you see machine authentications and user authenitcations from the same device, depending on if a user is logged in or not?

Sorry if any of these questions are simple, i'm fairly new to jamf & managing macs.

Contributor III

@macnac are you still bound to AD or are you using a Jamf Connect workflow?


New Contributor

Bound to AD

Contributor III

Okay, then you just need the basic Jamf ADCS configuration. You can refer to some resources online and reach out to Jamf Support for help. It will require some collaboration between you, your network team, and your CA admin team.