Jamf Connect with 802.1x Wireless Network Pre-Login

phillip_martin
New Contributor

Hello JamfNation,

I’m trying to connect to our 802.1x wireless network in Jamf Connect's "Network Connection" dialog with no luck. Entering network credentials does nothing and I’m
left with the dreaded “No network connection”. The computers I’m testing/will deploy Jamf Connect with are currently domain bound, but won’t be after I get Jamf Connect working. The current computer-based config profiles I’ve tried don’t seem to work.

I’m looking for a way to get authenticated to our wireless pre-boot, so Jamf Connect will
work.

We don’t have a scep server btw.

Anyone out there have any ideas? I’m stuck.

12 REPLIES 12

itthings
New Contributor II

I'm having the same issue version 2.0.1.

aassefa2
New Contributor II

Hello Phillip, I have contacted JAMF Support for this exact issue. They sent over these instructions, I am still not able to make it work so far. Let me know if you are able to resolve it.

802.1x macOS – Computer Based PEAP Workflow with AD

  • Need the Root CA Certificate
  • Radius server may have certificate that macOS computer needs to trust. DL That certificate. **

Step 1 – General Payload
1. Set as desired
2. Set level to “Computer Level”

Step 2 – Certificate payload
1. Set certificate name
2. Upload Certificate
Passphrase only used with p12 / pfx certificate. Enter here if using a bundle cert

Step 3 – Network Payload
1. Set Network Interface. If using Ethernet, skip to Step 3.
a. Set SSID b. Set Hidden / Auto join / If using Proxy, configure this here
c. Security type – WPA / WPA2 Enterprise
2. Optional – Check “Use as a Login Window Configuration” to monitor which user is using the computer at login.

PROTOCOLS TAB
3. Protocols to PEAP
4. Check “Use Directory Authentication”
5. If using Outer Identity, enter desired masked identity here.

TRUST TAB
6. Need to trust the CA Certificate / Radius certificate if present. 7. If you are not using a radius certificate (only root CA)
a. Enter the Radius server common name (case sensitive) in Certificate Common Name section
8. Check allow trust exceptions as desired

Amdé Saint Michaels College

Mac_User_
New Contributor III

I also received same update from Jamf support with those instructions but unable successfully configure. 

 

oandre3
New Contributor

Has anyone further luck with this? I just tried a test profile using the steps above but had to tweak a little and it appears to have worked on a test MBP 2017 running Big Sur. I'll have to try it out on a few more machines just to make sure but if anyone is interested:

* The test machine is a MacBook Pro 13" 2017.

* macOS Big Sur 11.6

* We're using Jamf Pro 10.32.2

I started with a fresh configuration profile, filled in the General section and set it to apply at the computer level. I then set up the Network payload using some of the steps above that aassefa2 mentions support provided to him. I disabled Auto-Join because the first time I tried it it didn't work, so I disabled it this time. I went through the usual, set it to use the Wi-Fi interface, filled in the SSID and set up the security type. I checked the box for 'Use as a Login Window configuration'. I enabled PEAP protocols and 'Use Directory Authentication'

I also set up two payloads under the Certificate section. One for the Root CA that the school and uploaded a copy of the cert. And another upload for the cert that the wireless uses, they were in .cer format.

Back under the Network payload, under the Trust tab, I checked both uploaded certificates to be trusted and checked the box for 'Allow Trust Exceptions'.

After that I set the scope to the test machine, rebooted the MBP just to be sure, when it came back up there was a drop-down box with the SSID listed. I tried our test account and after a few seconds the login process started. It definitely took a few times and Jamf's documentation on setting up 802.1X authentication at login can be a little vague, but it was nice to see it actually work.

802.1X@login.JPG

Mac_User_
New Contributor III

@oandre3 Have you tested again with more modern system, and/or Monterey? I've yet to find a resolution, even after trying the suggested tweaks you've made. 

Mac_User_
New Contributor III

Sorry for the duplicate post, jamf page was glitching. 

 

husnudagidir
Contributor

Hi Everyone,

I solved the 802.1x problem. You can contact me here to find out how to solve the problem.

What resolved for you? I have seen it work once, but cannot replicate and Jamf Support has been no help sadly. 

Hi Mac_User_ ,

First of all, I have to learn this. What brand are the Access Points you use in the WIFI network and what software do you use to manage them? If you answer this, I will more easily tell the root cause.

 

For the solution of this problem, I opened a new technical case to Jamf. I fixed the problem before I got any solution from them. I hope it has an Aruba Access Point in its environment and its management software is ClearPass.

Hi,

 

We use Aruba brand Access Points in our WIFI network. 802.1x is used to connect to the network through these products and we include users in the network by verifying with a certificate. At this stage, identity and certificate verification is done with an application called ClearPass. The ClearPass application also serves as an MDM server and SCEP server. When we connect to Access Points, the ClearPass application sends a profile file to users via a web interface. Actually the whole solution is contained in this profile file settings. We changed the part specified as "user" in the settings of this configuration profile file, sent to MacOS devices by the ClearPass application, to "system". Thus, as soon as our MacOS device was turned on, the user was able to connect to the network automatically without logging in. If the application you use is ClearPass, I support this article with screenshots. You can use the screenshot below. After making this change, you need to delete and reinstall the WIFI profile on the macOS device. After this step, the problem disappears.

 

Provisioning_Settings__.png

husnudagidir
Contributor

Hi Mac_User_ and Everyone,

First of all, I have to learn this. What brand are the Access Points you use in the WIFI network and what software do you use to manage them? If you answer this, I will more easily tell the root cause.

For the solution of this problem, I opened a new technical case to Jamf. I fixed the problem before I got any solution from them. I hope it has an Aruba Access Point in its environment and its management software is ClearPass.

husnudagidir
Contributor

Hi,

We use Aruba brand Access Points in our WIFI network. 802.1x is used to connect to the network through these products and we include users in the network by verifying with a certificate. At this stage, identity and certificate verification is done with an application called ClearPass. The ClearPass application also serves as an MDM server and SCEP server. When we connect to Access Points, the ClearPass application sends a profile file to users via a web interface. Actually the whole solution is contained in this profile file settings. We changed the part specified as "user" in the settings of this configuration profile file, sent to MacOS devices by the ClearPass application, to "system". Thus, as soon as our MacOS device was turned on, the user was able to connect to the network automatically without logging in. If the application you use is ClearPass, I can support this article with screenshots.