Using Jamf Connect with 802.1x Wireless Network Pre-Login

nwsbear
New Contributor II

I've poked around Nation a bit, but haven't seen anyone with this exact problem. Trying to connect to our 802.1x wireless network in Jamf Connect's "Network Connection" dialog with no luck. Entering network credentials does nothing, and no feedback is given from the dialog.

All other devices (Windows machines, phones, etc) connect to this network by initially authenticating with domain credentials (even devices not joined to domain). The Apple OSX devices using Connect are not domain bound.

I'm guessing this may be an issue of pushing out correct certs with Jamf Pro. If so, I'm exactly sure on what certs are needed, and in which manner they should be pushed to machines.

Thanks!

8 REPLIES 8

Shane
New Contributor II

We're using JCL with 802.1x successfully but it is with device cert auth and user credentials are not involved.

Device certs are deployed from our AD CA with a SCEP payload via Jamf.

nwsbear
New Contributor II

Thanks, Shane! Would you mind sharing some of your config? Appreciate it!

Shane
New Contributor II

Here are some screenshots of our network and SCEP payloads.

We have a profile specific for the WiFi and associated cert.
There are only 2 payloads:

186340ca07a94cd2b295e3722e00a862

First create the SCEP payload. We have to use never reissue because it adds the profile ID to common name and our devices get rejected by the network controller. It's worth trying to get it working with renewal if possible.

592a64f79e734697bee77346654be08c

Then create the network payload

2bc7147541ac4049a95eab761d03e6f3

d8fa5a5cad824d62b356cad997f1be92

As seen in the final screenshot, the Identity Certificate is the SCEP cert defined within this profile.

nwsbear
New Contributor II

Thanks so much! I'll chew on this for a while.

bcbackes
Contributor

@Shane @nwsbear I tried to setup a SCEP profile in my DEV environment, however, I find that the profile just says pending for the computer I have it scoped to. Can't seem to get past that point. Have either of you ran into that? I should note that I have a separate config profile our our network configuration.

aassefa2
New Contributor II

@Shane Would you have suggestions on how to make this work with SCEP, using PEAP? Our network setup requires users to use cert + credentials. I have not found a solution with that type of setup and JAMF Support has only led to dead ends.

Amdé

rabbitt
New Contributor III

@aassefa2 - PEAP will not work with Jamf Connect. The cert would be located in the user's account keychain, but you need the network to authenticate the user, but you need the user to authenticate to get on the network, but you need the network to...

johnsz_tu
New Contributor II

@bcbackes

I find that the profile just says pending for the computer I have it scoped to. Can't seem to get past that point

Check the IIS logs and Event Viewer on the SCEP Server/Proxy endpoint

We've found that if a profile gets stuck in pending for us its either been:

  • A authentication issue, the service account stops working and we were seeing 401 errors in the IIS logs

  • Check the NDES password cache. We were running into a issue with profiles stuck in pending and started seeing a error event viewer/logs on the server a error complaining about the password cache being full:

The password cache is full. Network Device Enrollment Service stores unused password for later use. By default, passwords are stored for 60 minutes. Use one of the existing passwords. If you cannot use an existing password: Wait until one or more existing passwords expire (by default passwords expire 60 minutes after they are created). Restart Internet Information Services (IIS).

We followed some instructions on increasing the cache value from the default of 5 (some online resources say to set it to 50% of your device count) and it seems to have helped (in our particular case)

Some resources on increasing the password cache If this indeed is the problem you are having: Here and here

It's unfortunate that even in debug mode the JAMF server log just doesn't provide enough info on whats happening with the SCEP process when it's failing.

In saying the above, these were problems with our environment and may be different to the issue you are seeing. This was just how we solved the "Stuck in pending issue"

Hopefully theres some info that might help. Good luck.