Jamf Nation Community

What sort of certificate are you using, Computer or User? Are you domain joined?

We have the same setup with but with User certificates.

No bind, Enterprise Connect logged in for Kerberos.

Same profile setup as above but Distribution Method is Self Service and Level User.

User logs into Self Service to install the profile, that calls to the CA using the Kerberos auth and pulls down the cert.

Finally what's the error when you try and push?

Cheers

Al

Did you create a cert template on your CA?

Edit: in our situation we dont need the username to be $COMPUTERNAME$.
Try selecting TLS and PEAP and no username.

Also include your ROOTCA certificate within the tree.

Currently the Macs are requesting the user to choose from two certificates. One is the AD Certificate that has been generated, the other is a jamfcloud cert.

We cloned the standard user one in the CA and used that... just make sure you set the options correctly as ours initially caused issues with S/MIME on iOS - turn signing off and no need to publish to AD....

I'm sure when I was testing i tried Mac as the cert template name and for some reason it wasn't working... we reverted to **_WiFi_Certificate

Not sure if this made any difference but it works!

Tried leaving the username blank and I'm still seeing the same pop up window asking which certificate to use.

@al_platt when you had Mac as the template name, were you seeing the same pop up?

It's frustrating as once you select the correct cert, it does connect but we'd like everything to be automated. I did read the pop up could be due to the CA Root cert not including a subject name but I've checked and the subject is populated with the CA FQDN.

Edit - Sorry, I should have said, this is machine based authentication and not user!

Are there still credentials (username/pw) store in the keychain referred to your Wi-Fi network?

Only for our current corporate network which is different to our EAP-TLS test network.

I've removed our other corporate network from a client machine to test but still the same.

When i tried Mac as the template name the profile just wouldn't install.. cert installation failed - as i say, weird and not sure if related.

What if you issue a cert manually via the CA web portal and then try manually connecting with that?

We followed a few steps documented here: http://sachinparmarblog.com/wireless-802-1x-eap-tls-on-mac-os-x/

Just noticed i have authentication set to WPA/WPA2 Enterprise NOT just WPA2 Enterprise.

@sbirdsley I think that's cracked it!!

No prompts and connects straight away.

Thanks so much!

@jthurwood Awesome!

@sbirdsley Are you using Apple Profile manager to create the profile?
We are trying to get WIRED 802.1x authentication to work a system (machine) level.
From what I've seen in JAMF nation discussions, one can't create a machine based wired authentication profiles with the JSS.

Any input would be much appreciated

@AHolmdahl I am using JAMF Pros to setup and deploy the configuration profiles

We have been able to get direct system level .1x authentication working in our environment using the "username" details I provided previously in this post and an AD certificate payload with the appropriate server setup

The only issue I have found in our environment/setup is depending on what you have the Network interface setting configured to has caused some issues when the system is used in a "dock" setup with the network interface connected through another means. It appears if you set the Network Interface to say use "First Active Ethernet" we have found this will only work if the system is directly connected to Ethernet or through a direct adapter (MBP > Thunderbolt to Ethernet Adapter) and see .1x failures with network connection made to Dell USB docking stations, split through IP Phone, connected Thunderbolt Displays, etc.

This appears to be resolved in our environment at least with 10.13 and changing the interface setting in the configuration profile to "Any Ethernet"

@sbirdsley is the host/%ComputerName%.%AD_DomainNameDNS% entry will work on user level to disappear the certificates choose window and auto connect?

Thanks

@sbirdsley I am also interested in a WIRED only configuration profile using EAP-TLS with NO username, just the system certificates. Do you have any experience with this?

Having the same issue with our ADCS Connector... looking for machine based Certs from ADCS for our EAP-TLS wifi.. I can generate an ADCS certificate and it gets delivered by JAMF Pro to the Machine but then I am forced to choose the certificate to use instead of automatically joining with Machine Cert the first time. I get presented with the com.apple.kerberos.kdc and the Machine ADCS generated certificate. If I select the Machine certificate it gets on and remembers from then on but not sure why it is not using the machine cert in the first place. Any ideas Peeps?

@sbirdsley

How do you update the below setting in a Mac?

Had to update username entry to:

host/%ComputerName%.%AD_DomainNameDNS%

@sbirdsley Having the same issue with our ADCS Connector... looking for machine based Certs from ADCS for our EAP-TLS wifi.. I can generate an ADCS certificate and it gets delivered by JAMF Pro to the Machine but then I am forced to choose the certificate to use instead of automatically joining with Machine Cert the first time. I get presented with the com.apple.kerberos.kdc and the Machine ADCS generated certificate. If I select the Machine certificate it gets on and remembers from then on but not sure why it is not using the machine cert in the first place

@cjatsbm We're not currently using the Jamf ADCS Connector (but looking to implement it in the near future). Just checking if you are already combining all of the payloads in the same profile (e.g. network, root and issuing certificates, AD certificate)? I ran into the same issue you described when we first set up our 802.1X EAP-TLS profile where it wouldn't auto-authenticate using the ADCS machine certificate and combining all of the payloads in the same profile worked for me. Good luck!

@cjatsbm When you install a device-level profile, the cert goes in to the System keychain. Only connection attempts made the the system will use that connection (com.apple.network.eap.SYSTEM.identity.wlan.ssid.$yourssid). These connection attempts are typically after wake/boot/login. If the user manually selects $yourssid from the menu, it's looking for a com.apple.network.eap.USER.identity.wlan.ssid.$yourssid, if it doesn't have one, it will prompt for the cert then create that identity in the login keychain.

This doesn't explain why it's not connecting automatically after the profile is installed, but should explain the prompt.

One workaround for all this is to also install user-level network profile. All the settings can be the same.

Has anyone had any issues with the configuration profile applying before a name change of the device. so the cert in system keychain will show Macbook-Pro.domain instead of the serial.domain and then binding would break after the name change?

@dustink yeah that's just a timing thing, if are you wanting to use the serial number of the device

I use two policies to handle this, probably better ways, but it works for me.

I create a AD bind policy with the Active Directory Payload, let's call it: Active Directory Binding, let's create a custom trigger for it say 'adbind'

I then create a second policy that runs a script that changes the name of the machine to it's serial number and then calls the Active Directory Binding policy. below is a small portion of a larger script but this is essentially what I use.

#!/bin/sh
serial_number=`ioreg -l | grep IOPlatformSerialNumber|awk '{print $4}' | cut -d " -f 2`
/usr/sbin/scutil --set ComputerName $serial_number
/usr/sbin/scutil --set LocalHostName $serial_number
/usr/sbin/scutil --set HostName $serial_number

sleep 10s

echo "Active Directory Binding"
${jamfbinary} policy -event "adbind"

Just found this thread. So Have a Mac not bound to AD, and user certificate from ADCS that ends in the login keychain.
Manually when connecting to network and choosing certificate it works, but I have problems setting it up in the network payloads.

Can anyone share how they have set this up ?

@sbirdsley do you get any solution for the reconnection issues with an USB adapter?

@cjatsbm   Would be able share your NPS Setup ?  I am at the point where I can issue Certificates and the Trust change to the client Mac however I am having trouble setting up MS NPS to authenticate based on the presence of the Certificate.