Posted on 12-12-2019 07:24 AM
I've poked around Nation a bit, but haven't seen anyone with this exact problem. Trying to connect to our 802.1x wireless network in Jamf Connect's "Network Connection" dialog with no luck. Entering network credentials does nothing, and no feedback is given from the dialog.
All other devices (Windows machines, phones, etc) connect to this network by initially authenticating with domain credentials (even devices not joined to domain). The Apple OSX devices using Connect are not domain bound.
I'm guessing this may be an issue of pushing out correct certs with Jamf Pro. If so, I'm exactly sure on what certs are needed, and in which manner they should be pushed to machines.
Posted on 12-12-2019 07:27 AM
We're using JCL with 802.1x successfully but it is with device cert auth and user credentials are not involved.
Device certs are deployed from our AD CA with a SCEP payload via Jamf.
Posted on 12-12-2019 07:33 AM
Thanks, Shane! Would you mind sharing some of your config? Appreciate it!
Posted on 12-12-2019 10:33 AM
Here are some screenshots of our network and SCEP payloads.
We have a profile specific for the WiFi and associated cert.
There are only 2 payloads:
First create the SCEP payload. We have to use never reissue because it adds the profile ID to common name and our devices get rejected by the network controller. It's worth trying to get it working with renewal if possible.
Then create the network payload
As seen in the final screenshot, the Identity Certificate is the SCEP cert defined within this profile.
Posted on 11-02-2021 07:43 AM
This worked for pushing out SCEP profile, however still unable to join from the login window. 😞 Any advice would be much appreciated.
Posted on 12-12-2019 10:50 AM
Thanks so much! I'll chew on this for a while.
Posted on 03-03-2021 09:38 AM
@Shane @nwsbear I tried to setup a SCEP profile in my DEV environment, however, I find that the profile just says pending for the computer I have it scoped to. Can't seem to get past that point. Have either of you ran into that? I should note that I have a separate config profile our our network configuration.
Posted on 03-08-2021 02:29 PM
@Shane Would you have suggestions on how to make this work with SCEP, using PEAP? Our network setup requires users to use cert + credentials. I have not found a solution with that type of setup and JAMF Support has only led to dead ends.
Posted on 01-11-2023 10:58 AM
My environment is the same as yours. Were you able to find a solution to this problem?
Posted on 03-08-2021 03:47 PM
@aassefa2 - PEAP will not work with Jamf Connect. The cert would be located in the user's account keychain, but you need the network to authenticate the user, but you need the user to authenticate to get on the network, but you need the network to...
Posted on 03-08-2021 04:27 PM
I find that the profile just says pending for the computer I have it scoped to. Can't seem to get past that point
Check the IIS logs and Event Viewer on the SCEP Server/Proxy endpoint
We've found that if a profile gets stuck in pending for us its either been:
A authentication issue, the service account stops working and we were seeing 401 errors in the IIS logs
Check the NDES password cache. We were running into a issue with profiles stuck in pending and started seeing a error event viewer/logs on the server a error complaining about the password cache being full:
The password cache is full. Network Device Enrollment Service stores unused password for later use. By default, passwords are stored for 60 minutes. Use one of the existing passwords. If you cannot use an existing password: Wait until one or more existing passwords expire (by default passwords expire 60 minutes after they are created). Restart Internet Information Services (IIS).
We followed some instructions on increasing the cache value from the default of 5 (some online resources say to set it to 50% of your device count) and it seems to have helped (in our particular case)
Some resources on increasing the password cache If this indeed is the problem you are having: Here and here
It's unfortunate that even in debug mode the JAMF server log just doesn't provide enough info on whats happening with the SCEP process when it's failing.
In saying the above, . This was just how we solved the "Stuck in pending issue"
Hopefully theres some info that might help. Good luck.
Posted on 02-08-2023 05:35 AM
Thank you, it was the password cache being full. We increased that number and the pending thing went away. We have a user and machine cert being generated now. We had to setup a second NDES for the user cert because we needed a unique OID for the cert. We are using this for our vpn Global Protect so it selects the correct user cert automatically rather than having the user manually pick one since there are multiple certs.
The only problem we have now is the unique OID is malformed so Global Protect can't read it and doesn't select it. We have a meeting with Jamf on this.
Posted on 11-03-2022 09:20 PM
i have done with SCEP and mac is getting machine certificate but still unable to authenticate at login windows .
Pls let me know if anyone has fix for it
Posted on 01-11-2023 11:12 AM
Posted on 01-12-2023 06:58 AM
I solved the 802.1x problem. You can contact me here to find out how to solve the problem.
Posted on 01-31-2023 04:22 PM
Please share the solution.
Posted on 02-08-2023 05:25 AM
Please can you post it here as we have the same thing
Posted on 02-08-2023 01:05 PM
We use Aruba brand Access Points in our WIFI network. 802.1x is used to connect to the network through these products and we include users in the network by verifying with a certificate. At this stage, identity and certificate verification is done with an application called ClearPass. The ClearPass application also serves as an MDM server and SCEP server. When we connect to Access Points, the ClearPass application sends a profile file to users via a web interface. Actually the whole solution is contained in this profile file settings. We changed the part specified as "user" in the settings of this configuration profile file, sent to MacOS devices by the ClearPass application, to "system". Thus, as soon as our MacOS device was turned on, the user was able to connect to the network automatically without logging in. If the application you use is ClearPass, I support this article with screenshots. You can use the screenshot below. After making this change, you need to delete and reinstall the WIFI profile on the macOS device. After this step, the problem disappears.