Help

802.1x over Ethernet.

Go to solution
xDunes
New Contributor

Posted on ‎10-31-2013 07:11 AM

This might be a stupid question, but when I create a profile via JSS for Ethernet with PEAP authentication and check the box for "Use Directory Authentication". After I click save and go back to edit the profile, the checkbox is unchecked. Therefore when I export the profile it doesn't work saying missing parameter "UserPassword".

I spun up JSS 9.2 in a test lab and tried to create the profile there the checkbox does save, but there are no fields to type in $COMPUTERNAME that worked in 8.x and once again the profile won't work.

Currently we have a script that we use to fill in computer name and password at run time before importing the profile, which works. I'm hoping to get away from relying on a script to accomplish this.

Almost identical profile for WIFI works without any issues.

I tried this in JSS 8.64 as well as 8.73.

Using profile generate via JSS 8.64, 8.73, 9.2 I keep getting:
Authenticating: can't prompt for missing properties <array> { 0: UserPassword
}

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
alexjdale
Valued Contributor III

Posted on ‎10-31-2013 11:07 AM

Yeah, you don't want to fill in the system's password, won't that change often?

Anyways, here is what my 802.1x PEAP directory authentication profle looks like. Running it in System mode means you should not need a username or password.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>AuthenticationMethod</key>
            <string>directory</string>
            <key>AutoJoin</key>
            <true/>
            <key>EAPClientConfiguration</key>
            <dict>
                <key>AcceptEAPTypes</key>
                <array>
                    <integer>25</integer>
                </array>
                <key>OneTimeUserPassword</key>
                <false/>
                <key>SystemModeCredentialsSource</key>
                <string>ActiveDirectory</string>
                <key>TTLSInnerAuthentication</key>
                <string>MSCHAPv2</string>
                <key>UserName</key>
                <string></string>
                <key>UserPassword</key>
                <string></string>
            </dict>
            <key>EncryptionType</key>
            <string>Any</string>
            <key>HIDDEN_NETWORK</key>
            <false/>
            <key>Interface</key>
            <string>FirstActiveEthernet</string>
            <key>PayloadDisplayName</key>
            <string>Ethernet 1</string>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>com.company.wired8021xconf</string>
            <key>PayloadType</key>
            <string>com.apple.firstactiveethernet.managed</string>
            <key>PayloadUUID</key>
            <string>bcfc0490-c46e-012f-52da-442c030cc3db</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>ProxyType</key>
            <string>None</string>
            <key>SetupModes</key>
            <array>
                <string>System</string>
            </array>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Wired 802.1x Profile for wired networks</string>
    <key>PayloadDisplayName</key>
    <string>Wired 802.1x</string>
    <key>PayloadIdentifier</key>
    <string>com.company.wired8021x</string>
    <key>PayloadOrganization</key>
    <string>Company, Inc.</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>8b825110-c46e-012f-52d8-442c030cc3db</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

View solution in original post

0 Kudos
9 REPLIES 9

Go to solution
alexjdale
Valued Contributor III

Posted on ‎10-31-2013 11:07 AM

Yeah, you don't want to fill in the system's password, won't that change often?

Anyways, here is what my 802.1x PEAP directory authentication profle looks like. Running it in System mode means you should not need a username or password.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>AuthenticationMethod</key>
            <string>directory</string>
            <key>AutoJoin</key>
            <true/>
            <key>EAPClientConfiguration</key>
            <dict>
                <key>AcceptEAPTypes</key>
                <array>
                    <integer>25</integer>
                </array>
                <key>OneTimeUserPassword</key>
                <false/>
                <key>SystemModeCredentialsSource</key>
                <string>ActiveDirectory</string>
                <key>TTLSInnerAuthentication</key>
                <string>MSCHAPv2</string>
                <key>UserName</key>
                <string></string>
                <key>UserPassword</key>
                <string></string>
            </dict>
            <key>EncryptionType</key>
            <string>Any</string>
            <key>HIDDEN_NETWORK</key>
            <false/>
            <key>Interface</key>
            <string>FirstActiveEthernet</string>
            <key>PayloadDisplayName</key>
            <string>Ethernet 1</string>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>com.company.wired8021xconf</string>
            <key>PayloadType</key>
            <string>com.apple.firstactiveethernet.managed</string>
            <key>PayloadUUID</key>
            <string>bcfc0490-c46e-012f-52da-442c030cc3db</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>ProxyType</key>
            <string>None</string>
            <key>SetupModes</key>
            <array>
                <string>System</string>
            </array>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Wired 802.1x Profile for wired networks</string>
    <key>PayloadDisplayName</key>
    <string>Wired 802.1x</string>
    <key>PayloadIdentifier</key>
    <string>com.company.wired8021x</string>
    <key>PayloadOrganization</key>
    <string>Company, Inc.</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>8b825110-c46e-012f-52d8-442c030cc3db</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
0 Kudos

Go to solution
JPDyson
Valued Contributor

Posted on ‎10-31-2013 11:54 AM

You're not crazy; that's broken in 8.X (but it works in 9.X). BTW, that field only works for computer auth if you're using Apple's built-in AD plugin (if you have Thursby or Centrify, computer auth won't work, but user auth will).

0 Kudos

Go to solution
xDunes
New Contributor

Posted on ‎10-31-2013 12:33 PM

@alexjdale - Thank you, your plist helped me find exactly what i was missing.

<key>AuthenticationMethod</key>
<string>directory</string>

and

<key>SystemModeCredentialsSource</key>
<string>ActiveDirectory</string>

It works now :)

@JPDyson - Didn't work in 9.2 for me.

0 Kudos

Go to solution
Samdy
New Contributor III

Posted on ‎03-06-2018 06:19 PM

Hi All Brother!
If I want to use 802.1x PEAP authentication with the certificate. What should I do on mobileconfig file?
Anyone help plz

0 Kudos

Go to solution
MrMcfly
New Contributor

Posted on ‎03-07-2018 01:58 PM

Somewhat a newb in regards to 802.1x setups via JAMF. What is the best way to set this up in JAMF 10.2? It looks to have been removed since 9. Scripting? Any help appreciated.

0 Kudos

Go to solution
Samdy
New Contributor III

Posted on ‎03-09-2018 02:27 AM

I have not JAMF program. so if you have any mobileconfig help send to me.
Thanks,

0 Kudos

Go to solution
AVmcclint
Honored Contributor

Posted on ‎03-09-2018 04:38 AM

@Samdy It doesn't work like that. No one is going to give you a copy of the mobileconfig for accessing their protected network. That's like asking someone for their house keys so you can modify it to fit your house. Not only that, but the specifics of the configuration will depend on how your network is configured: Servers, certificates, IDs, passwords, etc. You should work with your network engineers to find out the details of what is needed to connect to your network. Since you do not have JamfPro, then you will need to look into Apple's Profile Manager to see where you can input the settings your network team gave you.

0 Kudos

Go to solution
Samdy
New Contributor III

Posted on ‎04-12-2018 06:58 PM

@AVmcclint You are so stupid no one give a specifics of the configuration mobileconfig files to someone. If you give to someone specifics of the configuration it means you are crazy but if you are kindly you will give a file that customized to someone that they didn't know the ways to create mobileconfig file.
I have no idea with you guy about what do you think.

0 Kudos

Go to solution
jalcorn
Contributor II

Posted on ‎04-13-2018 08:41 AM

well im sure he will give it to you now