I would suggest using an ADCS cert or SCEP certificate to do this. You can hop over to the 802.1X MacAdmins slack channel if you need more references.

https://youtu.be/oRkpkN1Z3aI

Hello WifiChallenges,

You need to add Root CA in the profile and also add Trust to root CA in Network payload in the same configuration.

Hope this will help

profile.

I have no idea about all that scep stuff and from that video i am certainly not going to install anything on my production CA, punch holes in the firewall, or modify external DNS.

i guess ill do preshared key for now. I dont know why it cant use my existing infrastructure. It gets a certificate from the CA fine, why cant it use it...

Can you go to keychain access on a Mac device where this profile is installed correctly and check if you see your corporate WiFi identity preference ?

I have this working with a Configuration Profile that gets a cert via ADCS.  There is a lot more in my profile than yours as I found separating it out into each part e.g. machine cert, root cert etc was a big fail.  I didn't figure it all out myself - my friends in the Network Team helped big time telling me what the Radius server was objecting to as well as our Jamf Success Manager pointed me skillfully in the right direction.

Maybe these screen shots will help ...

You can anytime dm me on Jamf nation or Slack - Samstar777

Thanks for those images. That is interesting how you have $COMPUTERNAME in there.... Do you have this AD CS connector installed in your environment?

As for slack, i dont have that, but thank you for the offer.

This is kind of a nice to have for me right now, i got the 22 macs i had to do this for out without the certificate and will have to work on this when i have free time.  macs are a small part of our environment, so its not super critical to have working. I just realized though, that the problem may be because it does not seem to have a certificate on the machine. I believe the AD Certificate payload is what does that, so i have just configured that and will test it. I am also not in the office every day.

Will post back if i get it working.

Hi @wifichallenges - Yes that's a working setup I showed you.  $COMPUTERNAME gets replaced in the certificate with the machine name that is in scope.  I found I needed all the certificates shown - even the wireless cert.  This way there are no prompts about trusting certificates and the machine connects before anyone logs in.  I needed the AD CA and AD ICA as well as for us the Quovadis CA and ICA certs.  I know on Windows that is not needed but it was for the Mac's.

Yes we are using ADCS Connector to get the device certs

Hi Everyone,

I solved the 802.1x problem. You can contact me here to find out how to solve the problem.

So i have progressed a bit. The certificate does work, and does connect. However my current problem is that you have to select the cert manually, with an admin credentials prompt, then it connects fine with the certificate. Not sure why it doesn't auto connect, but my radius server does not see the connect attempt even so its not even trying. I almost think it has to do with certificate trust, because even though i am pushing the ROOT CA cert to the machine, if i manually try and connect, it still does pop up a prompt to accept the certificate (even though all the trust settings say "trust" on them) . So why does it even prompt? i mean thats what it feels like is happening.

still researching a solution and found this post lol, so i thought i would update it.

Hi,

It asks for the certificate only once in my environment. Does it ask for a certificate every time in your environment?

Not sure. i just didnt want it to prompt at all and feel like its broken if its asking the user at all. Means i would have to touch every machine, login, do a manual connect and tell it what certificate to use. Whether this transfers between users, and can be used at login, i do not know. 

Anyways i got fed up a few weeks ago and am just using a username and password pair to connect for the laptops now. which of course works flawlessly first try, same as the ipads. F certificate based wireless on the mac... just not worth more days of my time. The older you get in this business, you have to know when to cut your losses and do the workaround instead of the ideal solution.