Setup WPA2 with User Certificates

cassielevett
New Contributor

Hello!

I'm still a beginner at bash and have been struggling to find the commands I need to write a script.

The script needs to add a SSID to Preferred Network lists using WPA2 Enterprise with Mode: EAP-TLS and Identity: User Name. d6a49e698bc44a7ab391cfb91b2266e6

I can get the SSID on the list with WPA2 Enterprise using

networksetup -addpreferredwirelessnetworkatindex <device name> <network> <index> <security type>

What do I need to get Mode: EAP-TLS and select a certificate previously loaded in the Keychain with a standard format of "User Name" ?

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

Hi @cassielevett You need to use the security set-identity-preference function for this. Its not the easiest thing to do. I only know because we also use a separate Identity (cert + private key) deployed down from a CMS server and needed to find a way to associate the SSID to that identity, that way when Wi-Fi was turned on and the SSID was selected by the end user they didn't need to go through the steps to get the cert and SSID associated. It would just connect (mostly). We also aren't using a Config Profile for this, so it made things a little more complicated.

Here's a snippet of the code we use.

security set-identity-preference -n -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>"
security set-identity-preference -c "$loggedInUser" -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>" /Users/$loggedInUser/Library/Keychains/login.keychain

The above is only a small portion of the script. You need to replace the <ssid_name> with the name of your SSID, and $loggedInUser is also captured separately in the script and is of course, the current logged in username.

Hopefully that helps get you on the right track.

View solution in original post

7 REPLIES 7

gabriel_martine
New Contributor III

We are using a config profile with a network payload. It specifies the SSID, EAP/TLS, and to use the AD certificate. In the username field I am using $Username

cassielevett
New Contributor

Appreciate the reply. Are using machine certs instead of user certs?

You can only pick the AD option on the Network area if you have the AD Certificate option on. The AD Certificate for user certs have to have user name and password but this option isn't viable for us as we have hundreds of users. We prompt the person for credentials. When you prompt user for credentials it can't be pushed but has to be downloaded. Built in JAMF options do not appear to be an option for User Certs.

mm2270
Legendary Contributor III

Hi @cassielevett You need to use the security set-identity-preference function for this. Its not the easiest thing to do. I only know because we also use a separate Identity (cert + private key) deployed down from a CMS server and needed to find a way to associate the SSID to that identity, that way when Wi-Fi was turned on and the SSID was selected by the end user they didn't need to go through the steps to get the cert and SSID associated. It would just connect (mostly). We also aren't using a Config Profile for this, so it made things a little more complicated.

Here's a snippet of the code we use.

security set-identity-preference -n -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>"
security set-identity-preference -c "$loggedInUser" -s "com.apple.network.eap.user.identity.wlan.ssid.<ssid_name>" /Users/$loggedInUser/Library/Keychains/login.keychain

The above is only a small portion of the script. You need to replace the <ssid_name> with the name of your SSID, and $loggedInUser is also captured separately in the script and is of course, the current logged in username.

Hopefully that helps get you on the right track.

cassielevett
New Contributor

That worked perfect for what I was trying to do! I'm super excited to go flesh out the script now. Thanks mm2270!

Nix4Life
Valued Contributor

@cassielevett could you post a sanitized version of your script once completed

Thanks

Larry

yurypanasyuk
New Contributor III

@cassielevett

I am looking into doing something very similar to what you did. Could you share what you got working?

Gonzalez
New Contributor III

@mm2270 Have you had to update your script to allow the security preference to be written to the login keychain in 10.13.x or greater. Regardless of using sudo -iu; or launchctl asuser; there has been little success in writing to the login keychain. Writing to the system keychain is not a problem and works but it bugs me since that preference should be in the login keychain.