EAP-TLS Certificate based WiFi authentication

jthurwood
New Contributor III

Hello

I'm really struggling to get our Macs authenticating to our Wireless Network using Certificate based authentication. I've followed a few help guides but none of them seem to work, has anyone managed to get this working.

Below is a copy of our Configuration profilee7616b7d7fdc41b090b4ee9e40310b38
e856feb84c8343c1811e7cb33fca4bca
3b67eff9cdda461ab7c61eec23cacc73
e612ca906770413ebdeb0dd454a12dde
1156d39a494c48a3b9c67bd82ec79360
3ecea6ff2dae4669953b9323cc887e86
d8940d224f6045eb84c859d1013b732d

1 ACCEPTED SOLUTION

sbirdsley
Contributor

I had to open an Apple Enterprise support ticket after having setup issues as well as we needed the cert to pull down as the machine name for various systems that check for that

Had to update username entry to:

host/%ComputerName%.%AD_DomainNameDNS%

Not sure if that will help you at all

View solution in original post

27 REPLIES 27

Warren
New Contributor II

For my environment the key was getting the computer certificate to show up in the System Keychain, and then setting the machine name (with $ symbol at the end) for the username (e.g. computername$)

al_platt
Contributor II

What sort of certificate are you using, Computer or User? Are you domain joined?

We have the same setup with but with User certificates.

No bind, Enterprise Connect logged in for Kerberos.

Same profile setup as above but Distribution Method is Self Service and Level User.

User logs into Self Service to install the profile, that calls to the CA using the Kerberos auth and pulls down the cert.

Finally what's the error when you try and push?

Cheers

Al

ThijsX
Valued Contributor

Did you create a cert template on your CA?

Edit: in our situation we dont need the username to be $COMPUTERNAME$.
Try selecting TLS and PEAP and no username.

Also include your ROOTCA certificate within the tree.

jthurwood
New Contributor III

Currently the Macs are requesting the user to choose from two certificates. One is the AD Certificate that has been generated, the other is a jamfcloud cert.

cb07bf2e2b9e465ab007deae9caaa388

al_platt
Contributor II

We cloned the standard user one in the CA and used that... just make sure you set the options correctly as ours initially caused issues with S/MIME on iOS - turn signing off and no need to publish to AD....

I'm sure when I was testing i tried Mac as the cert template name and for some reason it wasn't working... we reverted to **_WiFi_Certificate

Not sure if this made any difference but it works!

jthurwood
New Contributor III

Tried leaving the username blank and I'm still seeing the same pop up window asking which certificate to use.

@al_platt when you had Mac as the template name, were you seeing the same pop up?

It's frustrating as once you select the correct cert, it does connect but we'd like everything to be automated. I did read the pop up could be due to the CA Root cert not including a subject name but I've checked and the subject is populated with the CA FQDN.

Edit - Sorry, I should have said, this is machine based authentication and not user!

ThijsX
Valued Contributor

Are there still credentials (username/pw) store in the keychain referred to your Wi-Fi network?

jthurwood
New Contributor III

Only for our current corporate network which is different to our EAP-TLS test network.

I've removed our other corporate network from a client machine to test but still the same.

al_platt
Contributor II

When i tried Mac as the template name the profile just wouldn't install.. cert installation failed - as i say, weird and not sure if related.

What if you issue a cert manually via the CA web portal and then try manually connecting with that?

TreviñoL
Contributor

We followed a few steps documented here: http://sachinparmarblog.com/wireless-802-1x-eap-tls-on-mac-os-x/

al_platt
Contributor II

Just noticed i have authentication set to WPA/WPA2 Enterprise NOT just WPA2 Enterprise.

sbirdsley
Contributor

I had to open an Apple Enterprise support ticket after having setup issues as well as we needed the cert to pull down as the machine name for various systems that check for that

Had to update username entry to:

host/%ComputerName%.%AD_DomainNameDNS%

Not sure if that will help you at all

View solution in original post

jthurwood
New Contributor III

@sbirdsley I think that's cracked it!!

No prompts and connects straight away.

Thanks so much!

sbirdsley
Contributor

@jthurwood Awesome!

AHolmdahl
New Contributor III

@sbirdsley Are you using Apple Profile manager to create the profile?
We are trying to get WIRED 802.1x authentication to work a system (machine) level.
From what I've seen in JAMF nation discussions, one can't create a machine based wired authentication profiles with the JSS.

Any input would be much appreciated

sbirdsley
Contributor

@AHolmdahl I am using JAMF Pros to setup and deploy the configuration profiles

We have been able to get direct system level .1x authentication working in our environment using the "username" details I provided previously in this post and an AD certificate payload with the appropriate server setup

The only issue I have found in our environment/setup is depending on what you have the Network interface setting configured to has caused some issues when the system is used in a "dock" setup with the network interface connected through another means. It appears if you set the Network Interface to say use "First Active Ethernet" we have found this will only work if the system is directly connected to Ethernet or through a direct adapter (MBP > Thunderbolt to Ethernet Adapter) and see .1x failures with network connection made to Dell USB docking stations, split through IP Phone, connected Thunderbolt Displays, etc.

This appears to be resolved in our environment at least with 10.13 and changing the interface setting in the configuration profile to "Any Ethernet"

m3ir
New Contributor III
New Contributor III

@sbirdsley is the host/%ComputerName%.%AD_DomainNameDNS% entry will work on user level to disappear the certificates choose window and auto connect?

Thanks

atlas
New Contributor

@sbirdsley I am also interested in a WIRED only configuration profile using EAP-TLS with NO username, just the system certificates. Do you have any experience with this?

cjatsbm
New Contributor II
New Contributor II

Having the same issue with our ADCS Connector... looking for machine based Certs from ADCS for our EAP-TLS wifi.. I can generate an ADCS certificate and it gets delivered by JAMF Pro to the Machine but then I am forced to choose the certificate to use instead of automatically joining with Machine Cert the first time. I get presented with the com.apple.kerberos.kdc and the Machine ADCS generated certificate. If I select the Machine certificate it gets on and remembers from then on but not sure why it is not using the machine cert in the first place. Any ideas Peeps?

tomyaujamf
New Contributor

@sbirdsley

How do you update the below setting in a Mac?

Had to update username entry to:

host/%ComputerName%.%AD_DomainNameDNS%

cjatsbm
New Contributor II
New Contributor II

@sbirdsley Having the same issue with our ADCS Connector... looking for machine based Certs from ADCS for our EAP-TLS wifi.. I can generate an ADCS certificate and it gets delivered by JAMF Pro to the Machine but then I am forced to choose the certificate to use instead of automatically joining with Machine Cert the first time. I get presented with the com.apple.kerberos.kdc and the Machine ADCS generated certificate. If I select the Machine certificate it gets on and remembers from then on but not sure why it is not using the machine cert in the first place

mottertektura
Contributor

@cjatsbm We're not currently using the Jamf ADCS Connector (but looking to implement it in the near future). Just checking if you are already combining all of the payloads in the same profile (e.g. network, root and issuing certificates, AD certificate)? I ran into the same issue you described when we first set up our 802.1X EAP-TLS profile where it wouldn't auto-authenticate using the ADCS machine certificate and combining all of the payloads in the same profile worked for me. Good luck!

patgmac
Contributor III

@cjatsbm When you install a device-level profile, the cert goes in to the System keychain. Only connection attempts made the the system will use that connection (com.apple.network.eap.SYSTEM.identity.wlan.ssid.$yourssid). These connection attempts are typically after wake/boot/login. If the user manually selects $yourssid from the menu, it's looking for a com.apple.network.eap.USER.identity.wlan.ssid.$yourssid, if it doesn't have one, it will prompt for the cert then create that identity in the login keychain.

This doesn't explain why it's not connecting automatically after the profile is installed, but should explain the prompt.

One workaround for all this is to also install user-level network profile. All the settings can be the same.

dustink
New Contributor II

Has anyone had any issues with the configuration profile applying before a name change of the device. so the cert in system keychain will show Macbook-Pro.domain instead of the serial.domain and then binding would break after the name change?

LovelessinSEA
Contributor II

@dustink yeah that's just a timing thing, if are you wanting to use the serial number of the device

I use two policies to handle this, probably better ways, but it works for me.

I create a AD bind policy with the Active Directory Payload, let's call it: Active Directory Binding, let's create a custom trigger for it say 'adbind'

I then create a second policy that runs a script that changes the name of the machine to it's serial number and then calls the Active Directory Binding policy. below is a small portion of a larger script but this is essentially what I use.

#!/bin/sh
serial_number=`ioreg -l | grep IOPlatformSerialNumber|awk '{print $4}' | cut -d " -f 2`
/usr/sbin/scutil --set ComputerName $serial_number
/usr/sbin/scutil --set LocalHostName $serial_number
/usr/sbin/scutil --set HostName $serial_number

sleep 10s

echo "Active Directory Binding"
${jamfbinary} policy -event "adbind"

jameson
Contributor II

Just found this thread. So Have a Mac not bound to AD, and user certificate from ADCS that ends in the login keychain.
Manually when connecting to network and choosing certificate it works, but I have problems setting it up in the network payloads.

Can anyone share how they have set this up ?

jeroschwab
New Contributor

@sbirdsley do you get any solution for the reconnection issues with an USB adapter?