Help

802.1x Wireless Profiles

bbergstein
New Contributor III

Posted on ‎07-26-2012 12:44 PM

I am trying to set up 802.1x authentication for our wireless networks. Everything is set up on the back end, and I created a profile for our macs according to the Apple KB to generate and install the X509 certificate based on the Active Directory computer object from our CA (I followed the instructions in https://jamfnation.jamfsoftware.com/article.html?id=209). This seems to work properly, as it gets the certificate and installs it into the System Keychain. The problem I am having is that I cannot seem to set up a profile to join the wireless network. If I do it manually, I can select the X509 identity cert out of the list, then fill in my computer name with a “$” after it, and it connects just fine. If I create a profile, I cannot specify that X509 cert because its not part of the profile. I am able to specify the computer name ($COMPUTERNAME) and the SSID and such, but it never works. It seems as though because its not specified, it can’t find the identity certificate. Any idea how to make it find this? I already tried including it in the same profile as the AD cert generation, but no luck…

0 Kudos
Reply
3 REPLIES 3

jables
New Contributor

Posted on ‎07-26-2012 01:06 PM

You need to put it in the same profile I think, that's what I did. I think it would be much better if this was not the case.

0 Kudos
Reply

alexjdale
Valued Contributor III

Posted on ‎07-26-2012 03:26 PM

I went with a completely scripted solution. I pull down the cert to a temp folder, do some conversion, and build the mobileconfig file with the cert embedded. The script then installs the profile, which installs the cert on the keychain. This works well since the cert and private key are removed automatically when the profile is removed.

I opened a case with Apple to see if it was possible to use a certificate requested by their instructions at system-level but it is not, not without scripting or using a SCEP server to issue the cert.

If you use a config profile to request the cert and install it on the keychain, it's going to be a huge PITA to export so I just skip that step entirely. Not ideal, but it works.

0 Kudos
Reply

jables
New Contributor

Posted on ‎07-26-2012 04:55 PM

My fault, I thought we were talking about SCEP. It does work well with SCEP but it isn't perfect like I said. In 8.6 you can add AD Certificates into that. I haven't tested it but it looks a lot easier than SCEP and probably what you are doing. I still think that it will have to be a part of the same profile which I understand but I think could be a problem.

0 Kudos
Reply