Configuration Profile for Enterprise Wi-Fi via PEAP/TTLS

Bartoo
New Contributor III

.. and my inability to make a working profile as of yet!

Clients are OS 10.9.2 & AD bound. JSS is 9.3 We have been using a configuration profile to connect the users to the corp Wi-Fi (OURSSID) without interaction - It passes their login credentials (AD) to the SSID.

The profile is just this:

Network Interface? Wi-Fi  ?Service Set Identifier (SSID) OURSSID?
Auto Join?
Security Type WPA / WPA2 Enterprise  ?U
Use as a Login Window configuration
?Network Security Settings:?

Accepted EAP Types:
?LEAP?
Use Directory Authentication?
Authenticate with the target computer's directory credentials

This works as expected- OURSSID is available as an interface at the login window. If a user with a valid AD account logs into a Mac, they are automatically connected to OURSSID .
However, our network team has asked us to deploy a profile that uses PEAP rather than LEAP.

We want push a profile for our corp Wi-Fi for Log in Window/Use Directory Auth/Root cert and I can't even seem to get this a even little bit right so before I make a zillion different permutations and have a nervous breakdown I'm going to plead stupid and throw myself to the mercy of the good people of JAMFnation to look this over:

OK so to get an idea what needs to be in the profile(s), we look at what happens when you manually make a connection to the corp Wi-Fi.

Any Mac here- AD bound or not can manually connect to our Wi-Fi if you provide valid AD credentials.
Pick our Corporate SSID (OURSSID) from the airport menu-
Mode Automatic
Enter a valid AD username and password.
You are asked to accept certificates before you can authenticate to the server OURACS. The Certificates are nested:
OURROOTCA | OURPKI | OURACS
This works just fine.. until the user changes their AD password, etc. And again, we'd like them to authenticate with their login credentials, etc.

On the manual connection if we look In System Prefs>Network>Wi-Fi
under 802.1x it shows Authenticated by PEAP (MSCHAPv2) and in Advanced>Wi-Fi security for OURSSID is WPA/WPA2 enterprise. There is no profile for OURSSID under Network>Wi-Fi>Advanced>802.1x

If you inspect the keychain 4 items are added to the Login Keychain:
Certificates:
OURACS
OURPIK
OURROOTCA

and a password item:
OURSSID (which contains the AD username and password used to authenticate to OURSSID)

So in the JSS we make a Configuration profile:

OURSSID Network Payload
Level - Computer Level (As this sets the option to use as Login Window Configuration)
Network
Network Interface -Wi-Fi

Service Set Identifier (SSID) OURSSID
Auto Join
Security Type WPA/WPA2 Enterprise
Use as a Login Window configuration
Network Security Settings -Protocols:
TTLS (adds MSCHAPv2 option)
PEAP
Use Directory Authentication
Inner Authentication
MCHAPv2

Network Security Settings -Trust:
Trusted Certificates
Certificates trusted/expected for authentication
OURACS
OURPIK
OURROOTCA

We've tried loading the certs in the Wi-Fi configuration Profile as well as separately and we get the same results -

Trusted Server Certificate Names
OURACS
OURPIK
OURROOTCA

Next we make a Config Profile for the Certs - and upload our three certs:
OURSSID Certs
Level - User Level (puts the certs in the Login Keychain)

Certificate
Certificate Name?
Name or description of the certificate credential?
OURROOTCA ?Certificate? ?Subject: OURROOTCA ?Filename: OURROOTCA.cer ?Issuer: CN=OURROOTCA ?Expires: June 29, 2032 ??Passphrase?
Passphrase used to secure the credentials? (empty) Verify Passphrase? (empty)

Certificate??
Certificate Name

?Name or description of the certificate credential?
OURPKI ?Certificate? ????Subject: OURPKI ?Filename: OURPKI.cer ?Issuer: CN=OURROOTCA ?Expires: October 29, 2022 ??
Passphrase used to secure the credentials? (empty) Verify Passphrase? (empty)

Certificate
??Certificate Name

?Name or description of the certificate credential?
OURACS ?Certificate? ????Subject:OURACS ?Filename: OURACS.cer ?Issuer: CN=OURACS04, DC=OURCORP, DC=COM ?Expires: Passphrase used to secure the credentials? (empty) Verify Passphrase? (empty)

So, we push these certs to an AD bound Mac 0 again we've tried pushing them in the Wi-Fi config and as a separate config profile.
On that Mac, we see that Wi-Fi: OURSSID is available from the login screen.
This system also has an AD user mobile account on it - if we log in using that account:
• We do not automatically connect to OURSSID
• We are not prompted to present credentials for OURSSID
• If we go to System Preferences>network>Wi-Fi>802.1x Wi-Fi (OURSSID) and hit the Connect button, it pops up a Authentication dialog for OURSSID - if we enter valid credentials it will hang at "authenticating" and eventually (5 minutes) pop up another authentication dialog.

we enabled the com.apple.networking.eapol.log on the test mac - and I'm still picking through it but this:

Apr 21 15:32:49.722826 testmac01 eapolclient[158]: EAP Request Identity
Apr 21 15:32:49.722909 6 testmac01 eapolclient[158]: Acquired: cannot prompt for missing user name
Apr 21 15:32:49.722979 6 testmac01 eapolclient[158]: set_key 0/0
Apr 21 15:32:49.723179 6 testmac01 eapolclient[158]: Supplicant (main) status: state=Held

seems significant.

So there we are. Any insight or guidance is deeply appreciated!

6 REPLIES 6

lisacherie
Contributor II

802.1X profiles in v9 are keeping us on v8.

Our account manager said there were still some issues - waiting patiently here too.

pbetancourth
New Contributor

Has anyone seen any updates on this? We are having a similar issue and our Rep told us to test on 9.31 but still no go.

jhbush
Valued Contributor II

I'm using PEAP in a loginwindow profile in a AD environment. I created the profile in the JSS, but the profile doesn't handle FV2 very well. The credentials obviously don't get passed and no prompt is given to join the wireless network. I built the same profile by hand and installed it via profiles and all is well with FV2. When users login to a FV2 machine they get prompted for credentials due to none being passed at the login window. They can select the wireless network and connect. There is definitely something odd about JAMF mobileconfig profiles.

bvandepol
New Contributor III

I'm sorry for bumping this, but i'm facing the same issues here on 9.51.
Does anybody have a workaround or status regarding this?

CGundersen
Contributor III

Relating to FV2, I'm using this in combination w/ FV2 and AD/802.1x configuration profiles. Might be of help to some?:

http://support.apple.com/kb/HT5989

sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

JPDyson
Valued Contributor

FYI, this means you see two login prompts when booting your FileVaulted Mac (one for FV, one for the OS). I presume this live OS login is what is making your JSS-generated .1X Login Window profile behave as expected. Dandy work-around, but as @jhbush1973 said, there's an issue here that needs to be corrected with how the profile is being generated by the JSS.

I've been kicking this around off and on for a while, and only haven't opened a ticket because we're not doing it in prod (SCEP issues on our end).