05-15-2023 08:30 AM - edited 05-15-2023 08:32 AM
We have been using EAP-TLS wi-fi with our iOS and macOS devices for some time. I use a Jamf pro configuration profile with 3 parts:
1) install the wi-fi profile
2) install the root and intermediate certificate for our internal AD CA
3) use SCEP to request a machine certificate
But I'm looking to expand this so the wi-fi user also gets a user certificate. I can utilize more Wi-Fi roles and place users into different VLANs and ACLs, etc.
So my question is anyone installing AD CS user certificates on your macOS and iOS devices? Are you doing it in an automated way using SCEP? Or are the users going to a web site and enrolling themselves?
If you can help, please provide as much detail as possible.
Posted on 05-17-2023 06:56 AM
when you integrated with scep, how did you go about hitting your CA server? do you use a netscaler at all? trying to figure that part out....
Posted on 05-17-2023 08:19 AM
I'm using a Jamf Pro Configuration profile with three payloads:
1. Certificate payload you should be installing all the root and intermediate certificates the client will need to connect to your Wi-Fi NAS and Certificate server and trust the connections.
2. SCEP payload where you put in the instance of your SCEP server. For me it's https://server name/certsrv/mscep/mscep.dll. Also include your SCEP server instance name and what the certificate common name will be. e.g. CN=$COMPUTERNAME. You may also need to put in credentials for your server or
3. Network payload to give the client the Wi-Fi profile. There are section you have to setup the security WPA2 Enterprise, EAP type to TLS, and in the trust section your link to your SCEP and certificates so the client will trust them.
So no integration or Netscaler. For Microsoft CA using SCEP it's just a URL. I have a wildcard certificate installed on the CA, so the client doesn't have any issues hitting it. This took me about a week or two to get right. lots of trial and error. Let me know if you want some screen shots of the settings I use. But then you will also need a CA with certificate templates available which is a whole new can of worms.