Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: badreligionhead
badreligionhead Author
User level: Level 1
0 points

profile for WPA2 enterprise pre-authentication

Hi,


I've got a WPA2 enterprise wireless network using Active Directory for authentication. This works fine if a user has a mobile profile on their Mac OS laptop. They can log in and then connect/authenticate to a wireless network. My problem is users who are logging into a computer for the first time and cannot because the computer is not connected to the network.


I thought the solution was to setup a profile using the Apple Configurator or the iPhone configuration utility. I've done this and have setup a profile that connects the laptop to the network via a preconfigured username and password in the .mobileconfig file. This works, the laptop connects to the network via the profile settings and non-local users can log in and authenticate.


But the problem with that is I will have all my Mac users connected to the network with the same username and password. I want users to be connected with their school-provided credentials.


Does anyone know how to solve this issue? Is there a solution with a config file?

MacBook Air, OS X Yosemite (10.10.4)

Posted on Jul 29, 2015 1:13 PM

Reply
Question marked as Best reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Posted on Jul 30, 2015 5:55 AM

I believe a more common approach is to use 802.1x authentication with a RADIUS server and device certificates. The device certificates would be unique to each device. However to ensure they are unique to each device means that you have to create a profile per device with that devices specific certificate as part of the payload of the profile.


You could have a guest WiFi network initially used to connecting to then 'download' the profile or as you have been doing so, use Configurator to load the profile via USB.


Where Apple do seem to be lacking is the automation of creating and issuing unique device certificates. I can tell you that if you use Cisco Meraki Systems Manager and Meraki wireless access points, then these can work together to automate all of this. Meraki Systems Manager can be viewed as being equivalent to Apple's Profile Manager. See https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-ba sed_WiFi_authentication_with_Systems_Man…


Note: The main reason why Profile Manager falls down here is that while Profile Manager includes a SCEP server for creating device certificates - this is limited by Apple to solely being usable for device enrolment. You cannot use their SCEP server for other purposes like creating certificates for WiFi, VPN, etc.

View in context
2 replies
Question marked as Best reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Jul 30, 2015 5:55 AM in response to badreligionhead

I believe a more common approach is to use 802.1x authentication with a RADIUS server and device certificates. The device certificates would be unique to each device. However to ensure they are unique to each device means that you have to create a profile per device with that devices specific certificate as part of the payload of the profile.


You could have a guest WiFi network initially used to connecting to then 'download' the profile or as you have been doing so, use Configurator to load the profile via USB.


Where Apple do seem to be lacking is the automation of creating and issuing unique device certificates. I can tell you that if you use Cisco Meraki Systems Manager and Meraki wireless access points, then these can work together to automate all of this. Meraki Systems Manager can be viewed as being equivalent to Apple's Profile Manager. See https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-ba sed_WiFi_authentication_with_Systems_Man…


Note: The main reason why Profile Manager falls down here is that while Profile Manager includes a SCEP server for creating device certificates - this is limited by Apple to solely being usable for device enrolment. You cannot use their SCEP server for other purposes like creating certificates for WiFi, VPN, etc.

Reply

profile for WPA2 enterprise pre-authentication

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up