Help

802.1x Wifi using Machine Certificates

dlondon
Valued Contributor

Posted on ‎03-28-2021 10:39 PM

Is it possible to tell the machine which certificate to use for Machine Authentication to the 802.1x Wifi?

When I first make the connection I get a pop up like this:

dcdf7da9e20747e09fa8f9b9d5f92a8e

and the dropdown list contains these two choices - is-m-00112 is the machine cert

199057c33eef41839ae811b202d93fed

Once selected and saved this works. I'm trying to automate the setup so there doesn't need to be any user input

0 Kudos
4 REPLIES 4

h_stamerjohann
New Contributor III
New Contributor III

Posted on ‎03-29-2021 01:23 AM

@dlondon In the keychain look for a Identity preference that matches your SSID i.e. when your SSID is "Unifi" that could be 

com.apple.network.eap.user.identity.wlan.ssid.Unifi

You can set this by using security CLI tool within a script, you need the CN and the Fingerprint (sha-256) of the certificate in question.

to create an Identity preference for your example that would be something alike: 

security set-identity-preference -c 'is-m-00112' -Z '<hash-here>' -s 'com.apple.network.eap.user.identity.wlan.ssid.Unifi'

The script you'll use should have checks and balances, so read about how security CLI tool allows to clean existing identity preference, ie.

  1. get the CN for the local installed machine cert
  2. get the fingerprint of that cert i.e. use security get-identity-preference
  3. bail out if nothing there
  4. clean an existing IdentityPref (that may refer to an older cert)
  5. create IdentityPref, use security set-identity-preference ...provide values for CN, Fingerprint, SSID

read some basics -> https://ss64.com/osx/security-id.html

dlondon
Valued Contributor

Posted on ‎03-30-2021 02:14 AM

Thanks @h_stamerjohann - appreciate the help

0 Kudos

easyedc
Valued Contributor II

Posted on ‎03-30-2021 06:46 AM

What does your configuration profile look like? Also, where is that machine cert generated? It took some playing around to get our default template correct, but we auto join 2 wifi SSIDs (depending on where you're located). The SSID info, the AD certificate pulled from a cert issuing server, and then a root cert to trust that AD cert. We auto connect without issue. I have had problems getting Big Sur to auto-connect, but I'm early in my BS testing (yes, I know it's been out a while). a62069ca375647c6b802d2790f6c6565

0 Kudos

dlondon
Valued Contributor

Posted on ‎03-31-2021 11:48 PM

Hi @easyedc - yes you are using the AD cert and for some reason we went down the path of a machine cert created using an ADCS connector.

I have gone through the motions and set up a Configuration Profile using the AD Certificate item like you but didn't get to the test stage as the network guys had already configured their rules/filters to handle the machine cert from the ADCS connector

I did post the profile in https://www.jamf.com/jamf-nation/discussions/38530/802-1x-using-system-mode but here's a copy:

4779aac3063644e789279c703b4607a7

5929dfc319a8418e86eb949c563c5435

Great profile pic!

0 Kudos