Help

Setup WPA2 with User Certificates

Go to solution
cassielevett
New Contributor

Posted on β€Ž04-07-2016 09:15 AM

Hello!

I'm still a beginner at bash and have been struggling to find the commands I need to write a script.

The script needs to add a SSID to Preferred Network lists using WPA2 Enterprise with Mode: EAP-TLS and Identity: User Name. d6a49e698bc44a7ab391cfb91b2266e6

I can get the SSID on the list with WPA2 Enterprise using

networksetup -addpreferredwirelessnetworkatindex <device name> <network> <index> <security type>

What do I need to get Mode: EAP-TLS and select a certificate previously loaded in the Keychain with a standard format of "User Name" ?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
mm2270
Legendary Contributor II

Posted on β€Ž04-07-2016 12:32 PM

Hi @cassielevett You need to use the security set-identity-preference function for this. Its not the easiest thing to do. I only know because we also use a separate Identity (cert + private key) deployed down from a CMS server and needed to find a way to associate the SSID to that identity, that way when Wi-Fi was turned on and the SSID was selected by the end user they didn't need to go through the steps to get the cert and SSID associated. It would just connect (mostly). We also aren't using a Config Profile for this, so it made things a little more complicated.

Here's a snippet of the code we use.

security set-identity-preference -n -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>"
security set-identity-preference -c "$loggedInUser" -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>" /Users/$loggedInUser/Library/Keychains/login.keychain

The above is only a small portion of the script. You need to replace the <ssid_name> with the name of your SSID, and $loggedInUser is also captured separately in the script and is of course, the current logged in username.

Hopefully that helps get you on the right track.

View solution in original post

0 Kudos
7 REPLIES 7

Go to solution
gabriel_martine
New Contributor III

Posted on β€Ž04-07-2016 11:10 AM

We are using a config profile with a network payload. It specifies the SSID, EAP/TLS, and to use the AD certificate. In the username field I am using $Username

0 Kudos

Go to solution
cassielevett
New Contributor

Posted on β€Ž04-07-2016 12:12 PM

Appreciate the reply. Are using machine certs instead of user certs?

You can only pick the AD option on the Network area if you have the AD Certificate option on. The AD Certificate for user certs have to have user name and password but this option isn't viable for us as we have hundreds of users. We prompt the person for credentials. When you prompt user for credentials it can't be pushed but has to be downloaded. Built in JAMF options do not appear to be an option for User Certs.

0 Kudos

Go to solution
mm2270
Legendary Contributor II

Posted on β€Ž04-07-2016 12:32 PM

Hi @cassielevett You need to use the security set-identity-preference function for this. Its not the easiest thing to do. I only know because we also use a separate Identity (cert + private key) deployed down from a CMS server and needed to find a way to associate the SSID to that identity, that way when Wi-Fi was turned on and the SSID was selected by the end user they didn't need to go through the steps to get the cert and SSID associated. It would just connect (mostly). We also aren't using a Config Profile for this, so it made things a little more complicated.

Here's a snippet of the code we use.

security set-identity-preference -n -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>"
security set-identity-preference -c "$loggedInUser" -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>" /Users/$loggedInUser/Library/Keychains/login.keychain

The above is only a small portion of the script. You need to replace the <ssid_name> with the name of your SSID, and $loggedInUser is also captured separately in the script and is of course, the current logged in username.

Hopefully that helps get you on the right track.

0 Kudos

Go to solution
cassielevett
New Contributor

Posted on β€Ž04-07-2016 01:04 PM

That worked perfect for what I was trying to do! I'm super excited to go flesh out the script now. Thanks mm2270!

0 Kudos

Go to solution
Nix4Life
Valued Contributor

Posted on β€Ž04-08-2016 05:17 PM

@cassielevett could you post a sanitized version of your script once completed

Thanks

Larry

0 Kudos

Go to solution
yurypanasyuk
New Contributor III

Posted on β€Ž04-12-2017 01:44 PM

@cassielevett

I am looking into doing something very similar to what you did. Could you share what you got working?

0 Kudos

Go to solution
Gonzalez
New Contributor III

Posted on β€Ž12-19-2018 04:29 PM

@mm2270 Have you had to update your script to allow the security preference to be written to the login keychain in 10.13.x or greater. Regardless of using sudo -iu; or launchctl asuser; there has been little success in writing to the login keychain. Writing to the system keychain is not a problem and works but it bugs me since that preference should be in the login keychain.

0 Kudos
Jamf helps organizations succeed with Apple. By enabling IT to empower end users, we bring the legendary Apple experience to businesses, education and government organizations. Learn about Jamf.