Trusting an intermediary cert

tuinte
Contributor III

Good day all:

We're rolling out 802.1x. I have the root ca and an intermediary cert. Both uploaded to a Jamf config profile.

Both certs are installed on scoped machines, the root one Always Trusted, the intermediary showing as issued by our CA and valid, using system defaults for trust settings (all items set to "no value specified").

My understanding is that that's what it all should look like. But when I connect to wireless, I get a "Verify Certificate" prompt for the intermediary after successfully authing with user creds. "Authenticating to network <network name>. You should examine the server's certificate to ensure that it is appropriate for this network."

Trusting the cert has it connect fine, but I'm hoping to get rid of that prompt.

What am I missing?

Thanks in advance for any help.

1 REPLY 1

tuinte
Contributor III

Well, adding a Network payload to the config profile with the SSID and protocol has solved that.

But!

We’re using PEAP but with unbound machines, so can’t leverage the directory credentials option in the payload. Leaving username/pw fields blank still lets me push the profile, but when attempting to connect via the menu bar, I get a “Cannot join” alert. Curiously, if I try and connect to 802.1x via the Network pref lane, this DOES give the credential prompt and everything works. Further, once those creds are saved, connecting from menu bar works fine.

I’d rather not have to direct users to the pref pane to connect.

Anyone else seeing similar? This an Apple 802.1x bug? Why would connecting via pref pane be any different than the menu bar? (Should note: Only works when clicking the 802.1x Connect button in the pref pane - selecting the SSID in the drop down in the pref pane does the same as the menu bar).

Thanks for any help.