EAP-TLS (Wired or Wireless) Prompting for Admin Account When Connecting

ndelgrande
New Contributor

Hi all,

We are moving to EAP-TLS on wireless and wired, but because the workstations unique certificate and the rest of the chain is in the System Keychain, an admin prompt is popping up when connecting. I am pushing the certs out using the "AD Certificate" Configuration Profile which pulls the certificate from an Active Directory Certificate Server. SCEP is not an option. Is there any way to use machine level authentication with EAP-TLS for non admin users? This is a big show stopper for us since not all our Mac users are admins.

2 REPLIES 2

michaelhusar
Contributor II

We use EAP-TLS just for Wifi:
I have a Profile to distribute the Wifi settings: It holds 3 certs to cover the whole chain (wifi-cert, access-point - cert, CA-cert). Network-payload: "protocols": EAP-Type: TLS is checked, no username, identity cert is set to the wifi-cert; under "trust" the access-point and the CA-cert are listed and checked; under cert-names the wifi-cert-name and the access-point-cert-name are entered
Maybe check also your wifi-identity-cert: since it is secured with a password (pkcs12) it "looks" different than the other certs: "No information can be displayed"

alexjdale
Valued Contributor III

We also store the chain certs on the System keychain, but make sure you have explicitly set trust on them (we set trust for SSL and EAP). We don't have issues with admin prompts.