Jamf Nation Community

@c.knipping hope this helps

We used certificate based authentication for wireless and have no issues. We can login with our AD credentials and everything runs as if it was wired.

We used certificate based authentication for wireless and have no issues. We can login with our AD credentials and everything runs as if it was wired.

Many Thanks, I try this option! If it work I send a Feedback next days.

@c.knipping

We've done this quite a few times for our customers. In every case there has been a different challenge. Certificate templates and permissions, incompatibilities with the authentication server etc.

The basic setup will require a profile to get an AD certificate and deploy a wireless profile using the certificate for authentication.

Ideally you'll get some input from the person looking after the CA server and the person looking after the wireless network and RADIUS service as there is often a bit of troubleshooting involved.

Yes, I would be interested in you posting your solution. Many thanks!

@aporlebeke I'd be interested as well. Thanks!

Below is the script we use. This is something my shop came up with and has worked successfully. Rarely, we'll have an issue where for whatever reason it doesn't properly enter the computer AD hostname and randomly generated password in the configuration profile, but we have a policy setup in Self Service so that we can run a script to uninstall the profile and remove the dmg, and then reinstalls the DMG and reruns the script. Again, happens VERY rarely but something we've developed a quick fix for.

I did not personally create the script OR the config profile. There are tools out there such that you could create a config profile that contains the certs and other information computers in your environment need to connect to Wifi. The script below requires TESTUSER and TESTPASS to be the entered username/password in the config profile.

#!/bin/bash

#####
# OSX Machine auth for 802.1x profile
# get AD machine user/pass and put into 802.1x profile template
# install the profile
#
# sed has it's own uses for '&' and '' in replacements
# and the randomly generated password sometimes has them
# So, trap and escape them before feeding into sed
#
# put the host name in 'host/computer name.YOURDOMAIN.com' format
##
# Originally by Dan P ~2012
# added traps and host name modification
# thp 7/16/14
#####

PASS=`sudo /usr/bin/security find-generic-password -s "/Active Directory/YOURDOMAIN" -w /Library/Keychains/System.keychain`
USER=`/usr/sbin/dsconfigad -show | awk '/Computer *Account/ { print $4 }'`

# trap '' and escape them
if [[ ${PASS} =~ '' ]]; then
PASS=$(echo "$PASS" | sed 's/\/\\/g') 
fi

# trap '&' and escape them
if [[ ${PASS} =~ '&' ]]; then
PASS=$(echo "$PASS" | sed 's/&/\&/g') 
fi

# format username as host name
USER=`echo $USER | tr -d '$'`
USER="host/${USER}.YOURDOMAIN.com"

# change template file
PROPATH='/path/to/config/profile/template'
PROFILE='name_of_config_profile.mobileconfig'

sed -i .bak 's/TESTPASS/'${PASS}'/' ${PROPATH}/${PROFILE}
sed -i .bak 's/TESTUSER/'${USER}'/' ${PROPATH}/${PROFILE}
/usr/bin/profiles -I -F ${PROPATH}/${PROFILE}
rm -f ${PROPATH}/${PROFILE}.bak

exit

Fix script that uninstalls profile and deletes the config template file. You'll need the profileIdentifier of the config profile that you want to delete:

#!/bin/bash

# Uninstalls faculty machine auth profile based on its profileIdentifier
sudo -u root profiles -R -p name.of.configprofile.profileIdentifier

# Deletes previously installed faculty machine auth profile
sudo rm -rf /path/to/config/profile/template/name_of_config_profile.mobileconfig

exit