Skip to main content
Solved

Setup WPA2 with User Certificates


Forum|alt.badge.img+3

Hello!

I'm still a beginner at bash and have been struggling to find the commands I need to write a script.

The script needs to add a SSID to Preferred Network lists using WPA2 Enterprise with Mode: EAP-TLS and Identity: User Name.

I can get the SSID on the list with WPA2 Enterprise using

networksetup -addpreferredwirelessnetworkatindex <device name> <network> <index> <security type>

What do I need to get Mode: EAP-TLS and select a certificate previously loaded in the Keychain with a standard format of "User Name" ?

Best answer by mm2270

Hi @cassielevett You need to use the security set-identity-preference function for this. Its not the easiest thing to do. I only know because we also use a separate Identity (cert + private key) deployed down from a CMS server and needed to find a way to associate the SSID to that identity, that way when Wi-Fi was turned on and the SSID was selected by the end user they didn't need to go through the steps to get the cert and SSID associated. It would just connect (mostly). We also aren't using a Config Profile for this, so it made things a little more complicated.

Here's a snippet of the code we use.

security set-identity-preference -n -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>"
security set-identity-preference -c "$loggedInUser" -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>" /Users/$loggedInUser/Library/Keychains/login.keychain

The above is only a small portion of the script. You need to replace the <ssid_name> with the name of your SSID, and $loggedInUser is also captured separately in the script and is of course, the current logged in username.

Hopefully that helps get you on the right track.

View original
Did this topic help you find an answer to your question?

7 replies

Forum|alt.badge.img+4

We are using a config profile with a network payload. It specifies the SSID, EAP/TLS, and to use the AD certificate. In the username field I am using $Username


Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 9 replies
  • April 7, 2016

Appreciate the reply. Are using machine certs instead of user certs?

You can only pick the AD option on the Network area if you have the AD Certificate option on. The AD Certificate for user certs have to have user name and password but this option isn't viable for us as we have hundreds of users. We prompt the person for credentials. When you prompt user for credentials it can't be pushed but has to be downloaded. Built in JAMF options do not appear to be an option for User Certs.


mm2270
Forum|alt.badge.img+16
  • Legendary Contributor
  • 7880 replies
  • Answer
  • April 7, 2016

Hi @cassielevett You need to use the security set-identity-preference function for this. Its not the easiest thing to do. I only know because we also use a separate Identity (cert + private key) deployed down from a CMS server and needed to find a way to associate the SSID to that identity, that way when Wi-Fi was turned on and the SSID was selected by the end user they didn't need to go through the steps to get the cert and SSID associated. It would just connect (mostly). We also aren't using a Config Profile for this, so it made things a little more complicated.

Here's a snippet of the code we use.

security set-identity-preference -n -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>"
security set-identity-preference -c "$loggedInUser" -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>" /Users/$loggedInUser/Library/Keychains/login.keychain

The above is only a small portion of the script. You need to replace the <ssid_name> with the name of your SSID, and $loggedInUser is also captured separately in the script and is of course, the current logged in username.

Hopefully that helps get you on the right track.


Forum|alt.badge.img+3
  • Author
  • New Contributor
  • 9 replies
  • April 7, 2016

That worked perfect for what I was trying to do! I'm super excited to go flesh out the script now. Thanks mm2270!


Forum|alt.badge.img+13
  • Honored Contributor
  • 550 replies
  • April 9, 2016

@cassielevett could you post a sanitized version of your script once completed

Thanks

Larry


Forum|alt.badge.img+5
  • Contributor
  • 25 replies
  • April 12, 2017

@cassielevett

I am looking into doing something very similar to what you did. Could you share what you got working?


Forum|alt.badge.img+4
  • Contributor
  • 19 replies
  • December 20, 2018

@mm2270 Have you had to update your script to allow the security preference to be written to the login keychain in 10.13.x or greater. Regardless of using sudo -iu; or launchctl asuser; there has been little success in writing to the login keychain. Writing to the system keychain is not a problem and works but it bugs me since that preference should be in the login keychain.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings