Help

802.1x RADIUS cert renewal. (clearpass with JamfPro)

Go to solution
jules1987
New Contributor II

Posted on ‎10-21-2024 07:04 AM

Hi everyone,

the first renewal of the radius cert is due in a month and I am not confident on how to do this without disconnecting all of our 250+ clients.

I believe I have perhaps made mistakes regarding best practices. However, I had no other choice since all certs and network payloads needed to be in one profile. The Jamf Profile used to deploy the 802.1x auth contains:

  • the RADIUS cert
  • the CA cert
  • the info about which cert template to use to issue a cert for any given machine
  • the wired and wireless network configuration settings with the certificates used to connect.

All certs are issued via the ADCS server to be able to renew automatically since MacOS and IOS would not be able to do this if done without it.

As far as I understood it, it had to be done this way, (all in one approach) to be able to select the cert to use for any given network connection that the conf-profile is controlling.

However, once I would re-redeploy this conf-profile, the clients would lose the connection before receiving the new config. Is it possible to deploy the renewed RADIUS certificate in a separate conf-profile? Then, however, I would not be able to select the cert in the WiFi and ethernet payload section... Any hints in the right direction are appreciated. If there is a better way to accomplish this.

 

with kind regards, Julian Niedzwetzki 

Reply
2 ACCEPTED SOLUTIONS

Go to solution
sdagley
Esteemed Contributor II

Posted on ‎10-21-2024 07:14 AM

@jules1987 If you edit a previously deployed Configuration Profile and choose "Distribute to All" when saving it will simply update the profile on targeted devices, not do a remove then re-install.

View solution in original post

Reply

Go to solution
agungsujiwo
Contributor
In response to jules1987

3 weeks ago

Three months ago, we updated our RADIUS certificate. During this process, we chose not to push the RADIUS certificate through Jamf because our WPA Enterprise setup uses Active Directory account credentials (rather than static accounts) for authentication.

With this setup, each user logs into Wi-Fi individually. After the RADIUS certificate change, Mac users encountered a pop-up upon connecting to Wi-Fi,
CPPM .png
prompting them to continue and enter their MacBook login password to reconnect to the internet. However, users connecting via LAN cable were unaffected and did not see any pop-up.
then after that you can schedule to delete the expired cppm cert manually in Keychain Access.

Note:
We inform via email what to do after changing the cert, so that users know the steps to take.
300+ User Mac
300+ User iPad

View solution in original post

0 Kudos
Reply
5 REPLIES 5

Go to solution
sdagley
Esteemed Contributor II

Posted on ‎10-21-2024 07:14 AM

@jules1987 If you edit a previously deployed Configuration Profile and choose "Distribute to All" when saving it will simply update the profile on targeted devices, not do a remove then re-install.

Reply

Go to solution
jamiesmithJAX
New Contributor III

Posted on ‎10-21-2024 11:31 AM

I put the new 802.1x cert into my existing profile ahead of when the networking team uploads the cert on their end and keep the existing cert in the profile as well.  Then when networking does their thing, the Macs will already have the new cert and they reconnect.  Just have to go back in a week or so and remove the expired cert from your profile

Reply

Go to solution
jules1987
New Contributor II

Posted on ‎10-21-2024 11:58 PM

Thank all of you. Until now, I was under the impression that edited profiles would be remove-redeployed so I was thinking too complicated. I have been using JamfPro for over 8 years but somehow, I never understood this properly.

Reply

Go to solution
agungsujiwo
Contributor
In response to jules1987

3 weeks ago

Three months ago, we updated our RADIUS certificate. During this process, we chose not to push the RADIUS certificate through Jamf because our WPA Enterprise setup uses Active Directory account credentials (rather than static accounts) for authentication.

With this setup, each user logs into Wi-Fi individually. After the RADIUS certificate change, Mac users encountered a pop-up upon connecting to Wi-Fi,
CPPM .png
prompting them to continue and enter their MacBook login password to reconnect to the internet. However, users connecting via LAN cable were unaffected and did not see any pop-up.
then after that you can schedule to delete the expired cppm cert manually in Keychain Access.

Note:
We inform via email what to do after changing the cert, so that users know the steps to take.
300+ User Mac
300+ User iPad

0 Kudos
Reply

Go to solution
jules1987
New Contributor II
In response to agungsujiwo

3 weeks ago

Thank you for your input. Yes, I have to do this as well, as most of our users are Gr.6 to Gr 12 students, and they are BYOD. So we have no control over them whatsoever. We will send an email to all of them, and the teachers. I figure a fair number of them will read and forget or not read the mail. But that's part of the business.

0 Kudos
Reply