Add additional SSID to wifi config without re-issuing AD cert?

alexjdale
Valued Contributor III

We'd like to add an additional SSID to our wifi environment and have it utilize an AD cert that was issued as part of another configuration profile. Is this possible to do this with some clever scripting? I really don't want to have to issue new certificates or potentially break wifi for this.

7 REPLIES 7

mm2270
Legendary Contributor III

Yes, I think it is, but it may depend on how the AD certs were issued, and if they are considered "identity's".

I believe what you're looking for is the security set-identity-preference command, Check the man page for security. You need to use the -c flag, where you can specify the common name of the certificate to use, and the -s flag, where you specify the service it should use it for.

alexjdale
Valued Contributor III

Yeah, I am playing around with that, but for some reason the command likes to set the identity on the Login keychain of the logged-in user instead of the System keychain, even when run with sudo.

It lets you choose a location to look for the certificate, but not where to place the identity.

mm2270
Legendary Contributor III

So, you're trying to add it to the System keychain then? I'm not sure if identity preferences can be set anywhere except in a login.keychain, but, have you tried adding the following to the end of the command

/Library/Keychains/System.keychain

The security command usually respects the keychain path if you actually specify one. In one of our scripts where we set up an identity pref, we can specify the logged in user's login.keychain, since that's where they go for us. I don't actually know if its respecting that part of the command when using the set-identity-preference sub-command, or if its just adding them there by default, but give that a try if you haven't already.

alexjdale
Valued Contributor III

Yes I have, that supposedly tells it where to look for the cert but there is nothing in the man page that indicates you can tell it where to put the identity (I tried -k but that's not accepted).

It's very frustrating because I can copy-paste it to the system keychain in the UI and get it to work. I just don't want this as a user config because all of our wifi configs work at the system level. In fact, it doesn't even work properly if the identity is on the user keychain, presumably because the 802.1X Password item is on the System keychain where the profile installs it.

bentoms
Release Candidate Programs Tester

@alexjdale Can't you add a second SSID to the profile & use the cert in that SSID too?

PhillyPhoto
Valued Contributor
@bentoms @alexjdale Can't you add a second SSID to the profile & use the cert in that SSID too?

Wouldn't that drop the profile completely though on current devices? If they are only connected wirelessly, that would drop the existing profile and connection, and then might not be able to talk to AD to grab a new cert to authenticate with.

That's the biggest headache I have with pushed profiles. I have a few different network profiles as I've tweaked them over time to get them working better.

alexjdale
Valued Contributor III

Yeah, this is the issue I have. If I repush the same profile with a new cert/SSIDs and the cert acquisition fails, the old profile/cert are removed and they are left with nothing. There's this leap of faith you are forced to make.

I'm going to be pushing a new profile with new certs (SHA2) for all clients soon anyway, so I will just include all the SSIDs in that profile. I might have to leave the old profile installed permanently since if I try to remove an older profile with the same SSIDs afterwards, it will happily remove the new identities created by a new profile.

It's probably my biggest issue with config profiles where I think Apple dropped the ball. There's no good path here.