We are running Jamf with nomad - so no bound to AD. We managed to get machine certificate to Mac from the WIndow CA, as the goal was to get EAP-TLS working
But we cannot manage to get the EAP-TLP working. Everytime when connecting and choosing the Machine certificate It fails
Can someone confirm that this can work also without the mac is bound to AD ?
What does your cert authenticate against? Ours authenticates against the machine name in AD. Even though the Mac isn't bound to AD it still needs the "computer name" as a place holder in the correct OU in AD. We just create a new computer object with the name of the machine and poof machine cert works on a non-bound machine.
I was thinking just to test to see if that was why they were failing... Also, if that does get it working. This would only need to be done once per the life of the device. I think it could be somewhat automated via powershell. Not sure what your naming scheme is but should be doable. We just went through this change, so I feel your pain. Took quite a while and required a member of our networking team that was able to break down what the Auth server was looking for on the certificate.
Having the same issue with our ADCS Connector... looking for machine based EAP-TLS wifi.. I can generate an AD certificate and it gets delivered by JAMF Pro to the Machine but then I am forced to choose the certificate to use instead of automatically joining with with Machine Cert the first time. I get presented with the com.apple.kerberos.kdc and the Machine ADCS generated certificate. If I select the Machine certificate it gets on and remembers but not sure why it is not using the machine cert in the first place.
If you're seeing this on Big Sur, make sure you're adding the entire certificate tree into the configuration profile. I was seeing the same issue where my once working profile no longer would authenticate. Spoke to apple and they suggested adding in the entire tree into the profile. Root, 802ca and then the template for the AD cert. As soon as we did this the connection worked as expected.
I have been trying and failing with this process for a while now. Would anyone be able to shed some light on more specific settings that are needed on the Jamf Config Profile side and what specific properties within the computer record and cert?
We're using Microsoft's NPS Radius service on the back end. I've tried various options of the SAN Type/Value within the Cert payload and Username within the Wifi payload and have little success, just added the full tree and same thing. Any insight or suggestions would be greatly appreciated!