Jamf Nation Community

Hello, thank you for the response. We're using enterprise (802.1x) authentication for the corporate WiFi, each user is issued their own identity cert by the CA. In the Casper Config Profile I'm testing with, I've uploaded the cert chain and my own user identity. This works, however this approach isn't feasible for the 5000+ Macs in my environment. I was hoping to "variableize" which user identity was used since user identities are based on a common naming convention.

The username and password fields can be left blank in the Config Profile, thus the user will enter it themselves. It'll prompt them. Or if you use LDAP to log into the Mac, you can tie the two together.

How are they issued the cert? When they authenticate to the WiFi? In that case, just leave the cert out, leave the username and password blank, and push out that cert.

I wanted to do the same thing and use a windows certificate on a mac. I don't think that's possible.

Ah so you want RADIUS to also authenticate at the login window? You can do that by making sure the Profile is set to run as a loginwindow profile. Unfortunately there's no way to do that in Casper (or actually even in Profile Manager) and you need to take the Profile XML and edit it by hand.

The good news is that it's not hard to edit by hand.

http://jamfnation.jamfsoftware.com/discussion.html?id=4046

I feel your pain; for an 802.1X payload, you can do a Machine-level and a User-level authentication, but none of it's with certificate. Our users currently have a utility on the desktop that allows them to download/import a certificate for WiFi auth, but I haven't figured a way to automate it. I was playing around with the concept of using a SCEP payload and our own internal SCEP server, but I didn't have the bandwidth to try much. I'm hoping to pick that back up soon.

Are you accompanying this User-level authentication with some sort of Machine-level auth first? How are you planning to patch machines that aren't currently being used?

Users currently get their cert through a web portal. But we'll be moving to SCEP for cert delivery soon. I've been playing with a WiFi MDM profile in the lab. It seems to come down to test systems alright, but the user is never prompted to choose their cert after the Mac attempts to connect to WiFi. Status in the network preference pane stays at "Authenticating" forever.

Ah, If I add a SCEP payload to the same MDM profile as the Network payload I can select "SCEP" for the user cert. The lab client joins the 802.1x network as expected.

I had been keeping payloads separate for manageability, but it looks like that habit prevented me from seeing this sooner :)

BTW, If you intend on using a SCEP payload from a WINDOWS JSS with Dynamic-Microsoft CA as a challenge, be sure to contact JAMF support for a special SCEP module you can add to tomcat. This prevents bad credentials from getting passed to the SCEP server.

I'm super excited that you got the payload to load. Is there a step by step on what you did to get it working? I can see my Apple computer on my access point but it will not connect. Thanks!