- Jamf Nation Community
- Products
- Jamf Pro
- Re: Has anyone connected a non-AD bound Mac to 802...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Has anyone connected a non-AD bound Mac to 802.1x Wi-Fi (System-Level)?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-10-2018 03:36 PM
I've been trying to slowly move away from binding my Macs to Active Directory and using tools like NoMAD. I want to be able to use SCEP in a ConfigurationProfile to request a cert with a challenge (pre-shared) password, but haven't been able to get it working. I'm looking to get the Mac connected (without using a users creds for shared computers) I get as far as the profile erring out with
Unable to create X509 name from 'Subject' parts in SCEP payloadHas anyone got this working? Does it even work at all?
Here are the details of my macOS Configuration Profile:
macOS Configuration Profile
Level: Computer Level
Distribution: Automatic
Network Payload
Auto Join: Yes
Security Type: WPA2 Enterprise
Protocols: TLS
Identity Certificate: SCEP (Cert_Name)
QOS: Mark All Apps
Trusted Certificates: Root Internal CA
Certificate Payload
Certificates: Root CA
SCEP Payload
URL: http://path_to_ca.fqdn/certsrv/mscep/mscep.dll
Name: Cert_Name
Redistribute Profile: 14 Days
Subject: CN=$SERIALNUMBER $PROFILE_IDENTIFIER,OU=IT,O=Org_Name,L=City_Name,S=STATE_NAME,C=US
Subject Alternative Name: None
Challenge Type: Static
Retries: 3
Retry Delay: 3
Certificate Expiration Notification Threshold: 14
Key Size: 2048 (Admin set it to this in the Certificate Template)
Labels:
Reply
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-10-2018 08:08 PM
The best way that I got these to work was downloading the .mobileconfig profile and building it as a .pkg instead of a config profile. However, I wasn't getting the x509 error before I decided to go that route. The only time I saw that x509 error, is for AD bound machines, and the network team had to configure the customize attributes in the access-policy..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-11-2018 08:14 AM
Thanks for the info @JustDeWon I forgot I had a policy in the JSS that was auto-rebinding Macs that were unbound during a check-in, so that was part of the issue. I finally got it working by downloading the Wi-Fi (SCEP) Configuration Profile I had for my iOS devices. Then, using the
security cms -D -I /path/ios-wifi.mobileconfig | xmllint --format -
command to export the data from the profile and creating a new .mobileconfig profile, changing all the uuid's with the uuidgen command to get different uuids for the profile (you could also just use the reverse dns naming), then I signed the profile with the
security cms -S -N "[Signing Certificate]" -i "[input]" -o "[output]"
command I got from this site. Now I just need to package it up and deploy it to my Macs and I can finally stop binding them to AD.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-11-2018 08:33 AM
@ssrussell , sounds good.. And that's similar to the way I do it on the Macs, I strip it first using the openssl smime -inform DER -verify -in /path/to/wifi.mobileconfig -noverify -out /path/to/wifi1.mobileconfig command...
Then i convert it to a readable .plist using the plutil -convert xm1 /path/to/wifi1.mobileconfig command.. From there I'm able to create a package using composer and a post install script. I got this from here
Good to know the command for iOS, as we don't have any iOS devices in JAMF as of now.
