Help with 802.1x Wireless Payload

Aziz
Valued Contributor

Hello JAMF Nation,

I'm currently having issues with deploying a machine level Wi-Fi payload. I've tried all the authentications method listed and they all fail. Occasionally, I will get prompted on my testing machine for my username and password. I enter the info, and it tells me "the identity of authentication cannot be established OS X payload". I've also attached a screen shot of our Windows Group policy that works. This is all on Cisco infrastructure by the way. Any help would be appreciated because our network guy and I are lost.

Info:

b0251d29a41b4987885823e1556cb6ac

PEAP (Using terminal it's called "Company SSID - WPA2+AES).

I've also tried TLS - Inner authentication = MSCHAPV2

8483020f20674ae8958cf9ef02b53e02

Trusted the certificate:

62de6fe709404145acc447947e2bb8f5

0d66cafac8434ef291eb6c0ef316b7cd

WINDOWS Group Policy. This works.

1d8d12929bd04f008100eca1cc70e958

19 REPLIES 19

qhle373
Contributor

Are you using AD? If so try with the Checkbox on for Use Directory Authentication, and then leave the username and password fields blank.

You can also try to just leave the username and password fields blank anyways, and see if that gets you through.

I know that we are an EAP-FAST setup so I have that setup in ours. It will generally auto-check to use PAC with all those boxes checked under it.

Good Luck!

Aziz
Valued Contributor

@qhle373

Yes we are using AD, sadly that fails and gives me the error "Authentication server is not responding".

qhle373
Contributor

Ah, I would check to make sure you have all of your network Certs in the config too. I saw that you have the Cisco one already. I've had to put 3 in ours because of our Aruba security. I've also added the Trusted Certificate Server names (duplicate names of the Trusted Certificates I have added in) to help along the process.

Aziz
Valued Contributor

@qhle373

I've added the Cisco ACS5 certificate with the payload, the rest of the certificates are already trusted in the System Keychain (still fails). I'll talk with our Windows Sysadmin to get AD Certificates to pull down using a configuration profile, hopefully that smooths things over. I'll contact JAMF support if that fails.

pat_best
Contributor III

I am currently using wpa2 enterprise, PEAP, and machine authentication with a handoff to the user credentials at login. The only difference I see is that I use directory authentication and not a service account. I am assuming you want the wireless to hand off authentication to the user when they log in? I also use the domain controller certs as well as our wireless cert(s) in our deployed config profile. Just to throw this out there, is your text box bound to the domain? Which OS are you working on? I have very easy success with 10.7 - 10.9 but earlier versions of 10.10 were a pain.

Aziz
Valued Contributor

@pat.best

 I am assuming you want the wireless to hand off authentication to the user when they log in?

As in the end-user never gets prompted to enter Wi-Fi credentials? (iPads and Loaner Mac's)

Most of my tests were on OS X 10.10.3, I tried 10.9.5 which gave me the same results. And yes, all machines are bound to AD.

qhle373
Contributor

Even if it is trusted in their keychain already, you still need to add it into the configuration profile. It cannot pull a keychain item from a user that it has not authenticated yet. The config supplies that info to authentication server at that point.

Aziz
Valued Contributor

@qhle373

When I manually sign into the Wi-Fi on a Mac (plain fashion way), it only asks me to trust the Cisco certificate. I'll give it a shot and reply back tomorrow!

pat_best
Contributor III

to clarify, are AD users logging into the device? If so, do you want the typed login information to replace the machine authentication? That is the function of the "Use as a Login Window configuration" checkbox.

Lincoln
Contributor

Just to chime in a me too...

I recently got this working on a handful of machines using WPA2 Enterprise and PEAP and directory authentication. I set up a login window profile so that AD users could authenticate wirelessly. To get it working I had to add both the wireless cert and domain controller cert to the profile. Once that was done they just started working (most of the time).

Lincoln

Aziz
Valued Contributor

@pat.best

Yes AD users are logging on. But, I want the service account to be user throughout the session and not the user's information.

@Lincoln

I've added our CA and wireless cert, I still get the error "Authentication Server is not responding".

pat_best
Contributor III

okay, so you will want to uncheck "Use as a login window configuration". You can use the AD service account or check the "use directory authentication" box". If you are using a service account I am pretty sure you don't need to specify the domain. Where I would go from here would be to dump all of the profiles from the test computer, remove any instance of your certs from all keychains, reboot, edit your configuration profile to include any domain controller and wireless authentication certs as well as the other settings discussed. Here are some screen shots describing how I have it in my mind:
fecafee6ff7445a18d2dea309cab096e
38a3fcae468e4dfab50df0772b687d72
4a7c4c9e21e041508df249026e48c7db
0e3cfb4666d34ed1853d8367f8a4f8a3
e3b80bf85d14455cacfc64ada3f2491c

Aziz
Valued Contributor

@pat.best

Tried some more things, the Payload only works at the User Level. Whenever I switch it to the Computer Level, it fails to authenticate.

Poseiden
New Contributor III

@Lincoln @pat.best

Odd question, would an expired wireless certificate be the reason this is failing?

I'm doing the same thing as @Abdiaziz and mine is failing.

Borrowed screenshots below

The SSID, which is hidden. WPA2 Enterprise and "use as login Window config".

optional image ALT text

PEAP, with a service account DomainService Account
optional image ALT text

Trusted the self singed, EXPIRED certificate

optional image ALT text

optional image ALT text

pat_best
Contributor III

Of you have an expired cert, your wireless will certainly fail. I am not on a work computer right now so I am unable to cite an example, sorry

Poseiden
New Contributor III

@pat.best

Thanks Pat. If you could link me to the article, I would like to pass it along to our network team!

pat_best
Contributor III

Here is a decent article, Google search meraki common wireless radius configuration issues and troubleshooting step number one lists missing or expired certs. I would paste it but my phone is not cooperating. Hope this helps!

pat_best
Contributor III

@Poseiden I am back at work and here are a couple links to help describe the process. Hope this helps!

Here is the link

and this article from Cisco

it-aofl
New Contributor

The above solution by @pat.best works for us in regards-to forcing authentication; however, is it possible for the Active Directory user to log-in to the Wireless Network utilizing their credentials without validating the certificate? Meaning...

Default behavior (without pushing the profile) on a Mac first has the User to log-in, then a dialog generates for the user to "trust" the certificate(s). For the sake of simplifying process for the end-user, it would be great if the latter dialog could be surpassed while still requiring log-in. Is that possible? Our Mac environment is 10.11.3.