Help

Best practices for setting up RADIUS authentication?

jeffnye
New Contributor

Posted on ‎12-17-2016 08:55 AM

I have about 60 Macs in the enterprise, trying to authenticate to a RADIUS server using EAP-TLS.

Right now we're using a HEAVILY manual process where we have to install both a user and a computer certificate, and even then, the authentication fails from time to time. I want something as pushbutton as possible, as this is the #1 Mac-related challenge we're being asked to resolve right now.

What are the best practices in the space? Is there a specific way that the RADIUS server should be configured? Do I need separate certificate structures to authenticate Macs? I've read things that hint at both, but nothing definitive.

0 Kudos
6 REPLIES 6

mkolb
Contributor

Posted on ‎12-19-2016 02:25 AM

Hi jeffnye!

This can be very tricky.. took us a lot of time to get this to work. We fixed this with a configuration profile with different payloads which have to be created in the correct order. e9feac8dd1224287bca56a84ba4c51af
You need the Certificate Payload to put the needed certificates for the RADIUS inside the profile. Then you need the AD Certificate Payload where you enter the exact address of the RADIUS, the name of the certificate authority, and so on.
Now you can go the to third payload, Network. Here is the part where everything comes together. If you want to use the authentication for WiFi and Ethernet you have to use the little plus-symbol in the upper right corner to set up settings for WiFi and separate for Ethernet. Choose the protocol, enter the username which is expected from the individual computer certificate. For example "%ComputerName"$@domain-name.com" With the %ComputerName% you make sure it always takes the individual name of the client. As Identity certificate choose the AD certificate, which was set up with the AD Certificate payload before. When you are done, click on the "Trust" button and activate each certificate, which were set up with the certificate payload before. "Trusted Server Certificate Names" should be the whole domain. Like " *.domainname.com"

Hope this helps!

Greetings, Marco

RLR
Valued Contributor

Posted on ‎12-19-2016 05:37 AM

I was sent a guide by Jamf Support in regards to setting this up: https://www.dropbox.com/s/vhcbb5rmwzft0xy/802.1x%20Wireless%20Testing%20-%20PEAP%20Workflow.pdf?dl=0

This will depend on how your RADIUS is setup.

Hope it helps.

0 Kudos

bbot
Contributor

Posted on ‎12-19-2016 09:43 AM

Our environment of 600+ Macs are setup for 2 years exactly like how @mkolb mentioned.

This works 99.9% of the time when setting up a new machine, but we've noticed that machines randomly drop off WiFi. Upon further research, we found that the machines were requesting user certificates periodically (the profile attempted to re-apply), and when they'd fail, the configuration profile gets removed. I have an open case with JAMF now about this.

Another issue we've seen during certificate renewals, 70% of our machines wouldn't renew properly, which resulted in user's getting dropped off of wifi again. We've found that renewals were inconsistent at best when the users were on wifi only. We renewed by changing the certificates, then re-deploying through the JSS.

This could be something specific in our network setup, but I'd highly recommend testing those issues before rolling out a 802-1x solution.

0 Kudos

seanhansell
Contributor

Posted on ‎10-16-2017 11:37 AM

Can this be done without a machine being bound to AD?

- Sean

maziboss
New Contributor

Posted on ‎01-13-2020 06:47 AM

I have the same question as @seanhansell. Especially on macOS Catalina.

0 Kudos

nelsoni
Contributor III

Posted on ‎01-13-2020 06:51 AM

https://gshaw0.wordpress.com/2019/06/23/configuring-eap-tls-wireless-connections-on-macos-with-jamf/
This guide goes over how to connect to RADIUS authenticated WiFi with non AD joined devices.

0 Kudos