Help

NAC and profiles for MacOS

danielgrm
New Contributor III

Posted on ‎08-20-2018 12:07 PM

I mostly have the NAC setup. It works excpet that that it prompts the user for the correct certificate to pick. See attached. screen shot. Is there something i am missing to get this setup with? If i pick the computer certificate it works fine, until the next time it connects. I would like to make it seamless for the users.1300b87ee70e4d59bab4f6d6da19e497

Labels:
0 Kudos
Reply
2 REPLIES 2

mm2270
Legendary Contributor III

Posted on ‎08-20-2018 12:38 PM

man security

Specifically you may need to run something like:

/usr/bin/security set-identity-preference -c "<certificate_common_name>" -s "<service_name>"

Where <service_name> is usually something like com.apple.network.eap.user.identity.wlan.ssid.<SSIDNAME> but it may be different for your setup. You mention a computer certificate, not a user one, so the format may look different than the above.
Look in your keychain to see what it creates when you choose the proper certificate. If you get prompted with a message when connecting that asks for access to an item in the keychain, be sure to click the Always Allow or Allow button, depending on which one shows up. This creates that identity preference in the keychain.

See if any of the above helps.

If you're wondering if there's a way to do this entirely with a profile, I honestly don't know. I don't believe so, but Apple may now have a config payload that allows for creating these. I just don't know the specifics if so, but someone else may be able to clarify that.

0 Kudos
Reply

alexjdale
Valued Contributor III

Posted on ‎08-20-2018 12:57 PM

Wired 802.1x has lots of issues on macOS. To get it to connect automatically, you need to make sure that the config profile you use to configure the Ethernet interface (FirstActiveEthernet) also has your AD cert as part of the profile payload (we have one profile for AD cert/WiFi/wired all in one) and that the PayloadCertificateUUID is referenced. The Ethernet adapter must also be plugged into the system when the profile is installed since the identity will bind to that adapter type. You cannot plug in a different type of adapter later or else it will wait for you to click the Connect button and choose the cert.

There are other requirements, like autojoin needs to be "true" and it has to be a system-level profile.

Apple implemented this terribly, and until more enterprises start using 802.1x on the wire and complain about it, I doubt we'll see much improvement. It's been like this for many years. I can't even explain how it works properly because it's so convoluted.

Reply