802.1x profiles

chisox1
New Contributor

Hello all! Working with JAMF support on this but figured I would post to see if anyone else is seeing this issue. For quite awhile now we have been deploying machine certificates through our load script. All of our machines require network connectivity on first login (bound to AD) so this did great for us. With the recent JSS upgrade it seems like our profile is still installing normally as it should, but when the machine attempts to connect to our SSID, it seems like it doesn't know what certificate to use. Our config profile contains the network setting for our WI-FI network and the AD certificate information. All proper keychain settings are all were they are supposed to go (comparing to machines that currently are working).

If I go into network under wifi press connect under 802.1x it prompts me for what cert to use, I choose our proper machine cert and it actually connects successfully, however we need this to work at login so the profile should be automatically setting this.

Just another fun day in the office! :)

48 REPLIES 48

jacopo_pulici
Contributor

Updated to 9.92 but I still have the problem.
The wired 802.1x keeps asking to select a certificate for the authentication.
:(

chisox1
New Contributor

I had a ticket open with both JAMF and Apple on this subject. The only way I was able to automate this for the end user completely was to add to the profile, sign it and then upload it to the JSS for distribution.

<key>SetupModes</key>
<array> <string>System</string>
</array>

Kaltsas
Contributor III

I have been working with Apple Enterprise on this since last October. In the case of devices that have built in ethernet the profile configuration I am using generally works with one caveat. If the network interface is removed and re-added then authentication via System Mode profile never applies.

For devices with no Ethernet built in the behavior is very inconsistent, especially in our environment where it is not assured a 1:1 relationship of dongle-device. IF, and it is a big if. I can ensure the dongle used when the profile is installed is the only dongle ever used with the device, generally the system mode profile works and authenticates automatically, though I have seen it periodically fail and User Mode authentication request credentials. I have worked with apple on modifying some delay timers on this.

I need to be able to install a system mode profile with specified credentials (certificate, machine credentials, etc...) and be able to plug in any ethernet adapter with an assumption the device will authenticate.

Apple keeps coming back to problems with the profile but it works until it doesn't work. There is something wrong with the framework, not the profile. I don't know if it is an issue with enumerating ethernet devices as they are connected and disconnected or what but I am growing increasingly frustrated with the amount of manual massaging I have to be doing to have device authentication in our environment.

I have both Apple Enterprise cases and Radar's logged for these issues, you can contact me off list if you would like to contact your apple representatives to get attached to those.

chisox1
New Contributor

I opened a separate case up for very similar issues and basically was told "too bad" this is the way it is designed. Glad to see someone got through!

Kaltsas
Contributor III

If you have time and interest, poke me off list via slack or email. I am trying to gather more test scenarios about the issues surrounding system mode 802.1x Ethernet Payloads using device credentials.

Sirmacalot
New Contributor

@ Kaltsas
How did you fix it for your devices with built in ethernet, this discussion is not clear to me for a solution...
I have 133 iMacs that need this certificate popup to be fixed.

ravigupta230290
New Contributor

@ kaltsas
Hi Alex, we recently moved our organization from one building to another & witnessed that in new block we have to select the Device cert manually , we are on 9.96 at the moment & we are on 10.12.6 & 10.13. Nothing changed on configuration profile or on JSS side.
Hope you could draw some light on this , we are OK to select the cert as it is one time activity as it is setting the keychain.
But would really appreciate the root cause of this behaviour.

Cheers Ravi

ruihere
New Contributor II

Hi @Kaltsas , I have some issues with wired 802.1x profile built by Profile Manager, not sure if you know what is the issue?

28f8bbbfdb94461fb87458fdc820d9e8

EdLuo
Contributor II

@ravigupta230290
Try removing the cert and reinstalling it with your primary ethernet connection.

I discovered this to be an issue after installing the certificate while connected to our corporate 802.1x using thunderbolt ethernet and then switching over to display ethernet. Seems like the certificate is link to the ethernet connection used during installed. For other ethernet connections, the cert will need to be manually selected.