SCEP on OSX to join Wi-Fi

RDub
New Contributor

My goal is to leverage JamfPro to deploy certificates to the MacBooks in my environment, and then use those certificates to authenticate onto the corporate Wi-Fi network. One caveat here is that the MacBooks are not bound to Active Directory.

Working toward my goal, I've done the following:
1. Setup a network policy server to function as a radius server for my wireless access points
2. Setup a root certificate authority, along with a NDES server that functions as a subordinate CA capable of issuing SCEP certificates
3. Built a JamfPro profile that results in a MacBook being issued and then installing a SCEP certificate.

So I have the SCEP certificate in place on the OSX laptop, but I'm not sure how to configure the NPS/Radius server to trust that certificate and allow the laptop onto the Wi-Fi. The documentation I've found so far (usually related to iOS) seems to indicate that I need to create an AD user for every laptop, which (for me) defeats the point of not joining the laptop to the domain. Is there a way to get around the need to create unique AD accounts for each machine connecting to the Wi-Fi? Certificates based Wi-Fi access is really new to me, so I'd welcome any feedback or suggestions on how to accomplish this. Thanks!

5 REPLIES 5

PatrickD
Contributor II

Hi @RDub,

We just implemented this however we are not not doing Computer Auth to RADIUS but instead we are doing User Auth by entering $Username into the SCEP Config Prof, the profile is User Level (Account name on the Mac must match that of AD, ie first.last).

User level relies on Userlevel MDM being enabled. You can only have one MDM capable "Local" user per machine. Do this by running

sudo jamf -removeMdmProfile
sudo jamf mdm -userLevelMdm

let me know if you need help with scripting the account name-change and userLevelMdm.

Please not this means there is no Wi-Fi at the login screen as the SCEP cert will be installed at user level (Login Keychain)

Have a look at our Config Profile, I altered server names for security but this should be what you need.
Unfortunately I can't really help with NDES config.

Pat

2d7a1a1b528343a282221c1074fb9c46

PatrickD
Contributor II

Oh and BTW we don't really share our laptops so that is why this works for us.

RDub
New Contributor

@PatrickD , thanks for this! We are trying it out now. Can you share any details on how your Radius policy is configured? I think I have the NDES stuff mostly figured out, but I think my disconnect is around getting the Radius Policy to accept what the laptop client is sending.

RDub
New Contributor

@PatrickD , how did you scope this? Since it's a user level profile, do we scope it to specific users or do we still scope it to specific computers? We usually scope based on computers rather than users, and for whatever reason, this profile is getting stuck on "pending".

PatrickD
Contributor II

@RDub

We just scope to specific computer. Still comes down what the is an MDM enabled user associated with it. Check the general tab of computer inventory and make sure it lists the mdm capable users there. Otherwise that command didn't work that I mentioned before.

For radius config, I'm not too sure. I wasn't involved with that. I do know that radius looks for the AD username in the SCEP cert. and that's why we use the $USERNAME variable but as I said, just make sure the account name on the Mac matches AD exactly.