Skip to main content
Question

802.1x Wifi using Machine Certificates

  • March 29, 2021
  • 4 replies
  • 70 views
dlondon
Forum|alt.badge.img+14

Is it possible to tell the machine which certificate to use for Machine Authentication to the 802.1x Wifi?

When I first make the connection I get a pop up like this:

and the dropdown list contains these two choices - is-m-00112 is the machine cert

Once selected and saved this works. I'm trying to automate the setup so there doesn't need to be any user input

    4 replies

    H
    Forum|alt.badge.img+6

    @dlondon In the keychain look for a Identity preference that matches your SSID i.e. when your SSID is "Unifi" that could be 

    com.apple.network.eap.user.identity.wlan.ssid.Unifi

    You can set this by using security CLI tool within a script, you need the CN and the Fingerprint (sha-256) of the certificate in question.

    to create an Identity preference for your example that would be something alike: 

    security set-identity-preference -c 'is-m-00112' -Z '<hash-here>' -s 'com.apple.network.eap.user.identity.wlan.ssid.Unifi'

    The script you'll use should have checks and balances, so read about how security CLI tool allows to clean existing identity preference, ie.

    1. get the CN for the local installed machine cert
    2. get the fingerprint of that cert i.e. use security get-identity-preference
    3. bail out if nothing there
    4. clean an existing IdentityPref (that may refer to an older cert)
    5. create IdentityPref, use security set-identity-preference ...provide values for CN, Fingerprint, SSID

    read some basics -> https://ss64.com/osx/security-id.html

      dlondon
      Forum|alt.badge.img+14
      • dlondon
      • Author
      • Honored Contributor
      • March 30, 2021

      Thanks @h_stamerjohann - appreciate the help

      easyedc
      Forum|alt.badge.img+16
      • easyedc
      • Esteemed Contributor
      • March 30, 2021

      What does your configuration profile look like? Also, where is that machine cert generated? It took some playing around to get our default template correct, but we auto join 2 wifi SSIDs (depending on where you're located). The SSID info, the AD certificate pulled from a cert issuing server, and then a root cert to trust that AD cert. We auto connect without issue. I have had problems getting Big Sur to auto-connect, but I'm early in my BS testing (yes, I know it's been out a while).

      dlondon
      Forum|alt.badge.img+14
      • dlondon
      • Author
      • Honored Contributor
      • April 1, 2021

      Hi @easyedc - yes you are using the AD cert and for some reason we went down the path of a machine cert created using an ADCS connector.

      I have gone through the motions and set up a Configuration Profile using the AD Certificate item like you but didn't get to the test stage as the network guys had already configured their rules/filters to handle the machine cert from the ADCS connector

      I did post the profile in https://www.jamf.com/jamf-nation/discussions/38530/802-1x-using-system-mode but here's a copy:

      Great profile pic!

      Terms & ConditionsCookie settingsAccessibility statement