Help

802.1X certificate selection at wifi selection

julienvs
New Contributor III

2 weeks ago

Hi all,

 

I'm having issues get 802.1X to work on Wifi.

I'm deploying machine certificates with Jamf Pro as a Proxy. We use the ADCS connector.

These certificates arrive properly on the machine.

 

The problem occurs when selecting a Wifi network: we're asking to select a certificate.

We get our connection after selecting the certificate but we shouldn't have to select that certificate.

I can't find a way to tell macOS to choose the right certificate when connecting to a specific Wifi.

 

Do you guys have any tips here?

 

Thanks in advance,

 

Julien

0 Kudos
Reply
6 REPLIES 6

AJPinto
Esteemed Contributor

2 weeks ago

Is the certificate being deployed in the same Configuration Profile as the wifi network?

0 Kudos
Reply

julienvs
New Contributor III
In response to AJPinto

2 weeks ago

No, Jamf documentation recommends to deploy the machine certificate first, and then only the wifi profile.

I noticed however that some people recommended pushing all payloads in one profile.

0 Kudos
Reply

sdagley
Esteemed Contributor III
In response to julienvs

2 weeks ago - last edited 2 weeks ago

@julienvs Do you have a link to the Jamf docs that suggest different profiles? Standard practice has long been to deploy both the Certificate and Network payloads is a single Configuration Profile as @AJPinto suggested, so if there's documentation that says otherwise either it's wrong or something was changed without advanced warning. I'm betting on the former.

0 Kudos
Reply

julienvs
New Contributor III
In response to sdagley

2 weeks ago

I don't immediately find it again in the documentation.

I'll try putting:

  1. ADCS Identity Certificate
  2. Full chain
  3. Network payload

In a single profile and try again.

0 Kudos
Reply

AJPinto
Esteemed Contributor
In response to julienvs

2 weeks ago

Apple requires the certificate and network payload to be in the same configuration profile, jamfs documentation reflects this. If they are not in the same configuration profile the certificate trust chain is not created.

Console actually has some pretty good logging on this, filter by the wifi logs and the SSID you are trying to connect to. 

0 Kudos
Reply

gmihailo
New Contributor III

2 weeks ago

I can confirm that you will need to add the network and certificate profiles in the same payload. You will also need to upload the root certificate so that there is trust in the chain otherwise you will have issues. 

0 Kudos
Reply