Posted on 09-23-2016 09:15 AM
We'd like to add an additional SSID to our wifi environment and have it utilize an AD cert that was issued as part of another configuration profile. Is this possible to do this with some clever scripting? I really don't want to have to issue new certificates or potentially break wifi for this.
Posted on 09-23-2016 09:53 AM
Yes, I think it is, but it may depend on how the AD certs were issued, and if they are considered "identity's".
I believe what you're looking for is the security set-identity-preference
command, Check the man page for security. You need to use the -c
flag, where you can specify the common name of the certificate to use, and the -s
flag, where you specify the service it should use it for.
Posted on 09-23-2016 10:27 AM
Yeah, I am playing around with that, but for some reason the command likes to set the identity on the Login keychain of the logged-in user instead of the System keychain, even when run with sudo.
It lets you choose a location to look for the certificate, but not where to place the identity.
Posted on 09-23-2016 10:42 AM
So, you're trying to add it to the System keychain then? I'm not sure if identity preferences can be set anywhere except in a login.keychain, but, have you tried adding the following to the end of the command
/Library/Keychains/System.keychain
The security command usually respects the keychain path if you actually specify one. In one of our scripts where we set up an identity pref, we can specify the logged in user's login.keychain, since that's where they go for us. I don't actually know if its respecting that part of the command when using the set-identity-preference sub-command, or if its just adding them there by default, but give that a try if you haven't already.
Posted on 09-23-2016 10:55 AM
Yes I have, that supposedly tells it where to look for the cert but there is nothing in the man page that indicates you can tell it where to put the identity (I tried -k but that's not accepted).
It's very frustrating because I can copy-paste it to the system keychain in the UI and get it to work. I just don't want this as a user config because all of our wifi configs work at the system level. In fact, it doesn't even work properly if the identity is on the user keychain, presumably because the 802.1X Password item is on the System keychain where the profile installs it.
Posted on 09-24-2016 12:00 AM
@alexjdale Can't you add a second SSID to the profile & use the cert in that SSID too?
Posted on 10-13-2016 12:54 PM
@bentoms @alexjdale Can't you add a second SSID to the profile & use the cert in that SSID too?
Wouldn't that drop the profile completely though on current devices? If they are only connected wirelessly, that would drop the existing profile and connection, and then might not be able to talk to AD to grab a new cert to authenticate with.
That's the biggest headache I have with pushed profiles. I have a few different network profiles as I've tweaked them over time to get them working better.
Posted on 10-13-2016 01:27 PM
Yeah, this is the issue I have. If I repush the same profile with a new cert/SSIDs and the cert acquisition fails, the old profile/cert are removed and they are left with nothing. There's this leap of faith you are forced to make.
I'm going to be pushing a new profile with new certs (SHA2) for all clients soon anyway, so I will just include all the SSIDs in that profile. I might have to leave the old profile installed permanently since if I try to remove an older profile with the same SSIDs afterwards, it will happily remove the new identities created by a new profile.
It's probably my biggest issue with config profiles where I think Apple dropped the ball. There's no good path here.