My goal is to leverage JamfPro to deploy certificates to the MacBooks in my environment, and then use those certificates to authenticate onto the corporate Wi-Fi network. One caveat here is that the MacBooks are not bound to Active Directory.
Working toward my goal, I've done the following:
1. Setup a network policy server to function as a radius server for my wireless access points
2. Setup a root certificate authority, along with a NDES server that functions as a subordinate CA capable of issuing SCEP certificates
3. Built a JamfPro profile that results in a MacBook being issued and then installing a SCEP certificate.
So I have the SCEP certificate in place on the OSX laptop, but I'm not sure how to configure the NPS/Radius server to trust that certificate and allow the laptop onto the Wi-Fi. The documentation I've found so far (usually related to iOS) seems to indicate that I need to create an AD user for every laptop, which (for me) defeats the point of not joining the laptop to the domain. Is there a way to get around the need to create unique AD accounts for each machine connecting to the Wi-Fi? Certificates based Wi-Fi access is really new to me, so I'd welcome any feedback or suggestions on how to accomplish this. Thanks!
We just implemented this however we are not not doing Computer Auth to RADIUS but instead we are doing User Auth by entering $Username into the SCEP Config Prof, the profile is User Level (Account name on the Mac must match that of AD, ie first.last).
User level relies on Userlevel MDM being enabled. You can only have one MDM capable "Local" user per machine. Do this by running
sudo jamf -removeMdmProfile
sudo jamf mdm -userLevelMdm
let me know if you need help with scripting the account name-change and userLevelMdm.
Please not this means there is no Wi-Fi at the login screen as the SCEP cert will be installed at user level (Login Keychain)
Have a look at our Config Profile, I altered server names for security but this should be what you need.
Unfortunately I can't really help with NDES config.
We just scope to specific computer. Still comes down what the is an MDM enabled user associated with it. Check the general tab of computer inventory and make sure it lists the mdm capable users there. Otherwise that command didn't work that I mentioned before.
For radius config, I'm not too sure. I wasn't involved with that. I do know that radius looks for the AD username in the SCEP cert. and that's why we use the $USERNAME variable but as I said, just make sure the account name on the Mac matches AD exactly.