In my organization we are trying to implement 802.1x with EAP-TLS and certificate authentication. We are able to deploy the configuration profile signed or unsigned with jamf for Ethernet interfaces however when the user adds another ethernet interface or the machine was imaged with one type of interface and they user is using another then they are prompted for what certificate to use. I'm trying to figure out how to make a profile that will allow the network config to apply to all Ethernet interfaces or some kind of script that can run from time to time to address this.
I had a case open for several years. It was closed at the release of 10.12 and I have in my notes I tested and verified it was resolved but now that we are broadly deploying 10.12 clients the behavior seems the same as it ever was. I have reopened the case but have not heard back from Apple yet.
Its possible to create identity preferences for any existing interface to point to a certificate, using the
security command. We currently have a deployed LaunchAgent that runs periodically on our Macs using a 802.1x cert, that verifies if the identity has been set up. If its not, it sets one up, that way when they connect to one of the Wi-Fi APs that can be used with the certificate, it just works, without prompting them to choose one (a cert).
I'd imagine the same approach could be taken here, but you would need to determine which interfaces to look for, and a way to determine the right certificate in the keychain.
I've also tried the route to create an additional identity, but the command that adds the identity to the keychain almost always added it to the keychain of the logged-on user instead of the System keychain, which means it's useless outside of that user context (other than that, it worked). I opened up a case with Apple and they confirmed it, with no indication they see it as a problem.
Heck, all I need is for the security command to let me choose a keychain target when I create an identity and I'm good. Probably a relatively easy change for Apple but it will always be a low priority for them because it's an Enterprise-only problem and relatively few companies use wired 802.1x. Luckily that is changing, but it sucks to be on the leading edge, we've been using it for many years.
I have no idea why Apple can't just apply an 802.1x config to all Ethernet ports. It's a huge problem for us because it's very unintuitive for both users and support staff. It's almost impossible for me to explain Apple's terrible 802.1x configuration implementation even to intelligent IT folks, much less frontline support staff and users.
So what I have found out is if you create a copy of the System Keychain item:
and rename it to:
Now all Ethernet adapters will work when the user is logged in. Granted only the one that was available at the time of profile installation will work at the login screen but at least this is a step in the right direction. I'm currently trying to create a python script that will automatically do this as I couldn't get the security command to work right.
I have also been involved with issues related to 802.1X on different interfaces. I'll have to double-check, but I recall that part of the difference is with interfaces created before vs. after the profile is applied.
There may also be complexity if you have more than the standard "Automatic" Network Location, where interfaces may be assigned to different Locations. (Now there's a forgotten feature!)
After digging through this for about almost two months please check out this link and give it a try. Should work whether you are using EAP-TLS or PEAP-MSCHAPV2. 802.1x II - Electric Boogaloo - Copying the System Profile from One Ethernet to Another