Has anyone connected a non-AD bound Mac to 802.1x Wi-Fi (System-Level)?

russeller
Contributor III

I've been trying to slowly move away from binding my Macs to Active Directory and using tools like NoMAD. I want to be able to use SCEP in a ConfigurationProfile to request a cert with a challenge (pre-shared) password, but haven't been able to get it working. I'm looking to get the Mac connected (without using a users creds for shared computers) I get as far as the profile erring out with

Unable to create X509 name from 'Subject' parts in SCEP payload

Has anyone got this working? Does it even work at all?

Here are the details of my macOS Configuration Profile:

macOS Configuration Profile

Level: Computer Level
Distribution: Automatic

Network Payload

Auto Join: Yes
Security Type: WPA2 Enterprise
Protocols: TLS
Identity Certificate: SCEP (Cert_Name)
QOS: Mark All Apps
Trusted Certificates: Root Internal CA

Certificate Payload

Certificates: Root CA

SCEP Payload

URL: http://path_to_ca.fqdn/certsrv/mscep/mscep.dll
Name: Cert_Name
Redistribute Profile: 14 Days
Subject: CN=$SERIALNUMBER $PROFILE_IDENTIFIER,OU=IT,O=Org_Name,L=City_Name,S=STATE_NAME,C=US
Subject Alternative Name: None
Challenge Type: Static
Retries: 3
Retry Delay: 3
Certificate Expiration Notification Threshold: 14
Key Size: 2048 (Admin set it to this in the Certificate Template)

3 REPLIES 3

JustDeWon
Contributor III

The best way that I got these to work was downloading the .mobileconfig profile and building it as a .pkg instead of a config profile. However, I wasn't getting the x509 error before I decided to go that route. The only time I saw that x509 error, is for AD bound machines, and the network team had to configure the customize attributes in the access-policy..

russeller
Contributor III

Thanks for the info @JustDeWon I forgot I had a policy in the JSS that was auto-rebinding Macs that were unbound during a check-in, so that was part of the issue. I finally got it working by downloading the Wi-Fi (SCEP) Configuration Profile I had for my iOS devices. Then, using the

security cms -D -I /path/ios-wifi.mobileconfig | xmllint --format -

command to export the data from the profile and creating a new .mobileconfig profile, changing all the uuid's with the uuidgen command to get different uuids for the profile (you could also just use the reverse dns naming), then I signed the profile with the

security cms -S -N "[Signing Certificate]" -i "[input]" -o "[output]"

command I got from this site. Now I just need to package it up and deploy it to my Macs and I can finally stop binding them to AD.

JustDeWon
Contributor III

@ssrussell , sounds good.. And that's similar to the way I do it on the Macs, I strip it first using the openssl smime -inform DER -verify -in /path/to/wifi.mobileconfig -noverify -out /path/to/wifi1.mobileconfig command...

Then i convert it to a readable .plist using the plutil -convert xm1 /path/to/wifi1.mobileconfig command.. From there I'm able to create a package using composer and a post install script. I got this from here

Good to know the command for iOS, as we don't have any iOS devices in JAMF as of now.