EAP-TLS 802.1x More than one Ethernet Interface

josh_miller
New Contributor II

Hello,

In my organization we are trying to implement 802.1x with EAP-TLS and certificate authentication. We are able to deploy the configuration profile signed or unsigned with jamf for Ethernet interfaces however when the user adds another ethernet interface or the machine was imaged with one type of interface and they user is using another then they are prompted for what certificate to use. I'm trying to figure out how to make a profile that will allow the network config to apply to all Ethernet interfaces or some kind of script that can run from time to time to address this.

Thank you!

11 REPLIES 11

chisox1
New Contributor

Our company had the same problem! Apple denied this as a fault and insisted it was by design.. Never got anywhere with the ticket.

Kaltsas
Contributor III

I had a case open for several years. It was closed at the release of 10.12 and I have in my notes I tested and verified it was resolved but now that we are broadly deploying 10.12 clients the behavior seems the same as it ever was. I have reopened the case but have not heard back from Apple yet.

josh_miller
New Contributor II

I have opened a support request with jamf and Apple because I would really like a solution to this issue.

josh_miller
New Contributor II

So I found this post http://apple.stackexchange.com/questions/193631/802-1x-management-on-the-command-line and was wondering if maybe we could somehow create a default identity for Ethernet which would make the profile work on all interfaces. Anyone have experience with this?

mm2270
Legendary Contributor III

Its possible to create identity preferences for any existing interface to point to a certificate, using the security command. We currently have a deployed LaunchAgent that runs periodically on our Macs using a 802.1x cert, that verifies if the identity has been set up. If its not, it sets one up, that way when they connect to one of the Wi-Fi APs that can be used with the certificate, it just works, without prompting them to choose one (a cert).

I'd imagine the same approach could be taken here, but you would need to determine which interfaces to look for, and a way to determine the right certificate in the keychain.

alexjdale
Valued Contributor III

I've also tried the route to create an additional identity, but the command that adds the identity to the keychain almost always added it to the keychain of the logged-on user instead of the System keychain, which means it's useless outside of that user context (other than that, it worked). I opened up a case with Apple and they confirmed it, with no indication they see it as a problem.

Heck, all I need is for the security command to let me choose a keychain target when I create an identity and I'm good. Probably a relatively easy change for Apple but it will always be a low priority for them because it's an Enterprise-only problem and relatively few companies use wired 802.1x. Luckily that is changing, but it sucks to be on the leading edge, we've been using it for many years.

I have no idea why Apple can't just apply an 802.1x config to all Ethernet ports. It's a huge problem for us because it's very unintuitive for both users and support staff. It's almost impossible for me to explain Apple's terrible 802.1x configuration implementation even to intelligent IT folks, much less frontline support staff and users.

Kaltsas
Contributor III

It's has something to do with how the OS enumerates network adapters. I have not heard back from Apple since I reopened this case.

josh_miller
New Contributor II

So what I have found out is if you create a copy of the System Keychain item:

com.apple.network.eap.system.identity.profileid.IDHere

and rename it to:

com.apple.network.eap.user.identity.profileid.IDHere

Now all Ethernet adapters will work when the user is logged in. Granted only the one that was available at the time of profile installation will work at the login screen but at least this is a step in the right direction. I'm currently trying to create a python script that will automatically do this as I couldn't get the security command to work right.

jaharmi
Contributor

I have also been involved with issues related to 802.1X on different interfaces. I'll have to double-check, but I recall that part of the difference is with interfaces created before vs. after the profile is applied.

There may also be complexity if you have more than the standard "Automatic" Network Location, where interfaces may be assigned to different Locations. (Now there's a forgotten feature!)

josh_miller
New Contributor II

After digging through this for about almost two months please check out this link and give it a try. Should work whether you are using EAP-TLS or PEAP-MSCHAPV2. 802.1x II - Electric Boogaloo - Copying the System Profile from One Ethernet to Another

ssmurphy
New Contributor III

Thanks for posting this info. Testing this now with a number of USB-C docks we have in testing.

Looks to be working great.