Help

802.1x settings and cert

CasperSally
Valued Contributor II

Posted on ‎03-12-2013 01:30 PM

We are testing 802.1x for our summer rollout.

I've seen a few posts here from users installing their cert/settings via profiles command @ image time.

Is there a benefit to doing it this way over pushing the cert/settings with config profiles with JAMF?

Thanks!

0 Kudos
7 REPLIES 7

mscottblake
Valued Contributor

Posted on ‎03-12-2013 01:48 PM

I just recently started doing it myself because I was having problems with the machines encountering an obscure error and removing the WiFi profile by themselves.

By adding it at imaging time, the MDM Framework does not control it so the profile does not get removed. It allows the machines to remain in contact with the network and allows me to fix the rest of the profiles without any machine downtime.

I don't do this for all the profiles, just the Wifi one since the machines are essentially offline when they have problems. Not a huge fan of this method because I lose the power from utilizing MDM, but in this situation, it's a fair trade for me.

0 Kudos

Kumarasinghe
Valued Contributor

Posted on ‎03-12-2013 04:44 PM

Have you got 802.1x machine authentication working?

0 Kudos

CasperSally
Valued Contributor II

Posted on ‎03-13-2013 07:20 AM

@kumarasinghe, we have 802.1x machine auth working on a test domain, but not in production. It makes it a little hard to test right now with our imaging flow as the test domain is totally separate from our production (and even our test) JSS. In the test environment, we are installing the profile with the profiles command in terminal.

I'm trying to think through how we'll best deploy it when we do move it to production.

0 Kudos

mark_sampers
Contributor

Posted on ‎03-13-2013 12:26 PM

We use the following scheme when packaging our 802.1x wireless profile for OS 10.7 and 10.8:
- Build the 802.1x profile with Lion or MtnLion server. (Example: 196-Wireless.mobileconfig)
- Create a deploy package (.pkg) with Composer containing our 802.1x .mobileconfig profile. In our case we place the .mobileconfig profile in a temporary folder in the System Library.
- Add a postinstall Script to install the profile and then delete the temporary folder containing the .mobileconfig.

example:
------------------------------------------------------------------------------
#!/bin/sh
## postinstall

profiles -I -F /Library/TempFolder/196-Wireless.mobileconfig;
rm -r /Library/TempFolder
------------------------------------------------------------------------------

We set the .pkg to install to the boot volume at imaging time. This has served us well on both OS 10.7 and 10.8. I hope this helps...

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎03-13-2013 03:03 PM

We install all through config profiles from the JSS.

Internal CA cert, machine auth 802.1x etc.

No issues for us using the in built method.

0 Kudos

Kumarasinghe
Valued Contributor

Posted on ‎03-13-2013 07:35 PM

Got it working. Missing step was to create a Machine Template with alternative subject name setting is set to “User Principal Name (UPN)” for "Ad Certificate" payload.
Read this for more info;
http://tinyurl.com/bljyoha

0 Kudos

CasperSally
Valued Contributor II

Posted on ‎03-14-2013 07:11 AM

Thanks everyone for the feedback.

0 Kudos