Distributing 802.1X Settings to Computers

You can use configuration profiles in Jamf Pro to distribute 802.1X settings to computers in your environment. This enables users to authenticate to your 802.1X network. You can enable users to authenticate to your network and verify the identity of a computer using using their credentials or certificate-based authentication. For more information about the protocols used for each method of authentication, see Overview.

When creating the configuration profile, you can choose to distribute the profile at the user level or the computer level. Distributing a profile at the user level allows you to monitor when users access your network.

Requirements

To distribute 802.1X settings to computers, you must complete the setup in the 802.1X Environment Setup.

To enable certificate-based authentication, you need a SCEP server with either a user or device certificate. If you are using a user certificate, the devices must be assigned to a user in Jamf Pro. For more information, see User Assignments in the Jamf Pro Administrator's Guide.

Enabling Users to Authenticate Using Credentials

Computers use the PEAP protocol for 802.1X configurations when you want users to authenticate using a username and password. To use this protocol, you must distribute a configuration profile to computers with the Certificates and Network payloads configured.

  1. Log in to Jamf Pro.

  2. Click Computers at the top of the page.

  3. Click Configuration Profiles.

  4. Click New images/docs.jamf.com/10.26.0/jamf-pro/administrator-guide/images/download/thumbnails/81922824/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the profile, including the level at which to apply the profile and the distribution method.

  6. Use the Certificates payload to configure information about the certificate:

    1. Enter a display name for the certificate in the Certificate Name field.

    2. Choose "Upload" from the Select Certificate Option pop-up menu.

    3. Click Upload Certificate and upload the Root CA certificate.

    4. (Optional) If you uploaded a .p12 or pfx certificate, enter a password in the Password field and then verify the password.

  7. Use the Network payload to configure information about your network:

    1. Select the type of network interface to use from the Network Interface pop-up menu.

    2. (Wi-Fi only) Configure the settings as necessary for your environment, including the Service Set Identifier (SSID) and settings for a Proxy Setup if your environment uses a proxy.

      Note: It is recommended that you use "WPA2 Enterprise" for your Security Type.

    3. (User-level profiles only) Select Use as a Login Window configuration to monitor which user is using the computer at login.

    4. On the Protocols tab, select PEAP and do the following depending on your environment:

      • If computers are bound to Active Directory, select the Use Directory Authentication option.

      • If computers are not bound to Active Directory, enter the username and password of the RADIUS Service Account, and ensure "None" is selected for the Identity Certificate.

      • If your environment uses Outer Identity, enter the masked identity as necessary

    5. If your environment uses the root CA certificate only, select the Trust tab, and click Add. In the Certificate Common Name field, enter the RADIUS server common name.

      Note: The Certificate Common Name field is case sensitive.

    6. (Optional) Depending on your environment, select Allow trust exceptions if necessary.

  8. Click the Scope tab and configure the scope of the profile.
    For more information, see Scope in the Jamf Pro Administrator's Guide.

  9. Click Save.

The profile is distributed to computers in the scope of the profile the next time they contact Jamf Pro. Users must enter their credentials on their computer before they can join the network.

Enabling Users to Authenticate Using a Certificate

Computers use the TLS protocol for 802.1X configurations when you want users to authenticate using a certificate. To use this protocol, you must distribute a configuration profile to computers with an identity certificate configured in a payload along with the Network payload.

  1. Log in to Jamf Pro.

  2. Click Computers at the top of the page.

  3. Click Configuration Profiles.

  4. Click New images/docs.jamf.com/10.26.0/jamf-pro/administrator-guide/images/download/thumbnails/81922824/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the profile, including the level at which to apply the profile and the distribution method.

  6. Depending on your environment, you must configure one of the following payloads for the identity certificate:

    • If your environment integrates with Active Directory Certificate Services (AD CS), select the Certificates payload to configure information about the certificate:

      1. Enter a display name for the certificate in the Certificate Name field.

      2. Choose "Upload" from the Select Certificate Option pop-up menu.

      3. Click Upload Certificate and upload the Root CA certificate.

      4. (Optional) If you uploaded a .p12 or pfx certificate, enter a password in the Password field and then verify the password. For more information, see the Distributing Certificates Using Configuration Profiles section of the Integrating with Active Directory Certificate Services (AD CS) Using Jamf Pro technical paper.

    • If your environment does not integrate with AD CS and computers are bound to Active Directory, select the AD Certificate payload and configure the following:

      1. Enter a description of the certificate request in the Description field.

      2. Enter the hostname of the AD Certificate Services server in the Certificate Server field.
        Both the IP and hostname can be entered.

      3. Enter the name of the CA in the Certificate Authority field.

      4. Enter the name of the certificate template in the Certificate Template field.

        Note: Ensure you enter the name of the Computer Certificate if distributing the profile at the computer level, and enter the name of the User Certificate if distributing the profile at the user level. This field must have exact spelling and is case sensitive.

      5. Enter the number of days before the certificate expires to start showing the expiration notification in the Certificate Expiration Notification Threshold field .

      6. Configure the rest of the settings in the payload as necessary.

        Notes:

        • Do not select the Prompt for credentials setting. This is not supported at this time.

        • The Username and Password fields can be left blank. Credentials are pulled from Kerberos tickets and do not need to be filled.

    • If your environment does not integrate with AD CS and computers are not bound to Active Directory, select the SCEP payload and configure the following:

      1. Enter the SCEP server URL in the URL field. For example:
        http://SCEP.Hostname/certsrv/mscep/mscep.dll

      2. Enter the name of instance.
        This value can be the name of the root CA Certificate.

      3. Configure the Redistribute Profile setting as necessary.

      4. Enter the following variables for the Subject field:

        • If distributing the profile at the user level: CN=$USERNAME or CN=$FULLNAME

        • If distributing the profile at the computer level: CN=$COMPUTERNAME or CN=$SERIALNUMBER

      5. Select "RFC 822 Name" from the Subject Alternative Name Type pop-up menu.

      6. (Optional) Enter a value for the Subject in the Subject Alternative Name Type field.

      7. Enter a value in the NT Principal Name field. This value is what the RADUS Server looks for.
        Computer-level profile example: $COMPUTERNAME@scep.domain
        User-level profile example: $USERNAME@scep.domain

      8. Select an option from the Challenge Type pop-up menu, and do the one of the following:

        • "Static" Challenge Type: Enter the pre-shared secret challenge name.

        • "Dynamic-Microsoft CA" Challenge Type: Enter a value similar to the following in the URL to SCEP Admin field:
          http://SCEP.Hostname/certsrv/mscep_admin/, and then enter the username and password to authenticate to the SCEP Server.

      9. (Optional) Configure the the rest of the settings in the pane as necessary.

  7. Use the Network payload to configure information about your network:

    1. Select the type of network interface to use from the Network Interface pop-up menu.

    2. (Wi-Fi only) Configure the settings as necessary for your environment, including the Service Set Identifier (SSID) and settings for a Proxy Setup if your environment uses a proxy.

      Note: It is recommended that you use "WPA2 Enterprise" for your Security Type.

    3. On the Protocols tab, select TLS and do the following depending on your environment:

      • If you configured the AD Certificate payload, select "AD Certificate" from the Identity Certificate pop-up menu.

      • If you configured the Certificate payload, select "AD CS Certificate" from the Identity Certificate pop-up menu.

      • If you configured the SCEP payload, select "SCEP" from the Identity Certificate pop-up menu.

    4. If your environment uses the root CA certificate only, select the Trust tab, and click Add. In the Certificate Common Name field, enter the RADIUS server common name.

      Note: The Certificate Common Name field is case sensitive.

    5. (Optional) Depending on your environment, select the Allow trust exceptions if necessary.

  8. Click the Scope tab and configure the scope of the profile.
    For more information, see Scope in the Jamf Pro Administrator's Guide.

  9. Click Save.

The profile is distributed to computers in the scope of the profile the next time they contact Jamf Pro. Users join the network seamlessly because they authenticate using the certificate.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.