802.1x Loginwindow Configuration Profile not connecting

aburrow
Contributor

I setup a a 10.8.3 MacBook Pro with a Configuration Profile I created using the Apple iPCU and manual changes to the file so it would work at the loginwindow. This works as expected wireless connection before authenticating against Active Directory. The payload consists of the required certificates as well as the wireless SSID etc..

I've tried to replicate the same settings in JSS 8.64's as a Computer Level Config. Profile. The payload consists of the required certificates and SSID settings etc. the same as the iPCU.

The Wireless connection appears at the loginwindow as expected but that's as far as it goes. If I login to the MacBook Pro with an Active Directory Account and then attempt to connect to the 802.1x Connection in the Network System Preference it sits there at "Authenticating" (This may be unrelated to why it's not working at the login window).

Is there something Specific I need to do to get this configuration profile to work correctly when deployed by the JSS?

1 ACCEPTED SOLUTION

mistacabbage
Contributor

After you add the certificate in the Certificates section you have to go back to the Network section. Under Network Security Settings there is a tab for Protocols and Trusts. Click on Trusts. Under Trusted Certificates you'll see a list of all the certificates you added. They should all be unchecked by default. You can check as many certificates as you want.

View solution in original post

6 REPLIES 6

bbergstein
New Contributor III

Are you sure the certificate is correct? It sounds like its hanging on the authentication, for which you should have logs on the RADIUS end of things... I would start with the RADIUS logs and work from there.

jhbush
Valued Contributor II

aburrow, have you tried just installing the profile using the profiles command? I had issues as well pushing these settings via JAMF's profiles. In the end I just made my own and installed it via a postflight script.

aburrow
Contributor

I exported the JSS Config. Profile and imported it using the profile using the profiles command same issue. It shows up as a User Profile though not Device.

I contacted our Radius guy and he tells me that there are no requests at the Radius end to Authenticate the user I'm trying to log in as.

At the 802.1X area for the Wi-Fi connection clicking disconnect/connect does connect now, previously this did not work.

jhbush
Valued Contributor II

This is a sanitized version of our login window profile. Replace the word replace with your data. It's mostly certificates and UUID's. You could also take the JAMF profile and clean it up in a text editor.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>AutoJoin</key>
            <true/>
            <key>EAPClientConfiguration</key>
            <dict>
                <key>AcceptEAPTypes</key>
                <array>
                    <integer>25</integer>
                </array>
                <key>EAPFASTProvisionPAC</key>
                <false/>
                <key>EAPFASTProvisionPACAnonymously</key>
                <false/>
                <key>EAPFASTUsePAC</key>
                <false/>
                <key>PayloadCertificateAnchorUUID</key>
                <array>
                    <string>Replace</string>
                    <string>Replace</string>
                    <string>Replace</string>
                    <string>Replace</string>
                </array>
            </dict>
            <key>EncryptionType</key>
            <string>WPA</string>
            <key>HIDDEN_NETWORK</key>
            <true/>
            <key>PayloadDescription</key>
            <string>Configures wireless connectivity settings.</string>
            <key>PayloadDisplayName</key>
            <string>Replace</string>
            <key>PayloadIdentifier</key>
            <string>Replace</string>
            <key>PayloadOrganization</key>
            <string>Replace</string>
            <key>PayloadType</key>
            <string>com.apple.wifi.managed</string>
            <key>PayloadUUID</key>
            <string>C8DF3EED-5121-49E8-9F43-0CE5ECDC8EDB</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>ProxyType</key>
            <string>None</string>
            <key>SSID_STR</key>
            <string>Replace</string>
            <key>SetupModes</key>
                        <array>
                        <string>Loginwindow</string>
                        </array>
        </dict>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>Root.crt</string>
            <key>PayloadContent</key>
            <data>
                Replace
            </data>
            <key>PayloadDescription</key>
            <string>Provides device authentication (certificate or identity).</string>
            <key>PayloadDisplayName</key>
            <string>Replace</string>
            <key>PayloadIdentifier</key>
            <string>Replace</string>
            <key>PayloadOrganization</key>
            <string>Replace</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadUUID</key>
            <string>Replace</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>Replace</string>
            <key>PayloadContent</key>
            <data>
                Replace
            </data>
            <key>PayloadDescription</key>
            <string>Provides device authentication (certificate or identity).</string>
            <key>PayloadDisplayName</key>
            <string>Replace</string>
            <key>PayloadIdentifier</key>
            <string>Replace</string>
            <key>PayloadOrganization</key>
            <string>Replace, Inc.</string>
            <key>PayloadType</key>
            <string>com.apple.security.pkcs1</string>
            <key>PayloadUUID</key>
            <string>DBB64707-CA01-4D26-9EE7-66D05B678BDE</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>Replace</string>
            <key>PayloadContent</key>
            <data>
                Replace
            </data>
            <key>PayloadDescription</key>
            <string>Provides device authentication (certificate or identity).</string>
            <key>PayloadDisplayName</key>
            <string>Replace</string>
            <key>PayloadIdentifier</key>
            <string>Replace</string>
            <key>PayloadOrganization</key>
            <string>Replace</string>
            <key>PayloadType</key>
            <string>com.apple.security.pkcs1</string>
            <key>PayloadUUID</key>
            <string>6F4D8627-E08B-48C3-968F-89623C2FEB64</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>PayloadCertificateFileName</key>
            <string>Replace</string>
            <key>PayloadContent</key>
            <data>
                Replace
            </data>
            <key>PayloadDescription</key>
            <string>Provides device authentication (certificate or identity).</string>
            <key>PayloadDisplayName</key>
            <string>Replace</string>
            <key>PayloadIdentifier</key>
            <string>com.Replace.Replacecorpwifi.credential3</string>
            <key>PayloadOrganization</key>
            <string>Replace</string>
            <key>PayloadType</key>
            <string>com.apple.security.pkcs1</string>
            <key>PayloadUUID</key>
            <string>Replace</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Replace</string>
    <key>PayloadDisplayName</key>
    <string>Replace</string>
    <key>PayloadIdentifier</key>
    <string>Replace</string>
    <key>PayloadOrganization</key>
    <string>Replace</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>Replace</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

mistacabbage
Contributor

After you add the certificate in the Certificates section you have to go back to the Network section. Under Network Security Settings there is a tab for Protocols and Trusts. Click on Trusts. Under Trusted Certificates you'll see a list of all the certificates you added. They should all be unchecked by default. You can check as many certificates as you want.

aburrow
Contributor

I recreated the configuration, including re-importing the certificates. I then went and performed the steps above. I'm now connecting. I can't say for sure what was the fix, but mistacabbage's suggestion above certainly helped.