Has anyone successfully accomplished this? Works perfectly on 10.7+ using my config profile and $COMPUTERNAME for directory username.
Answer
AD machine auth for 802.1x in 10.6.8 ?
+14Best answer by bbergstein
I just went through this....the easiest way to make this work was to change the template on the CA to include the UPN in the subject alternative name. This resolves the whole "username" thing, by including that in the cert itself. We just duplicated the standard computer template, named it "Giant Eagle Macs", and checked that box. Theres a pretty decent writeup of this on the macenterprise Google Group at https://groups.google.com/forum/?fromgroups=#!topic/macenterprise/K1M5wl_dloQ
He has a configuration profile that allows AD authentication over Wifi for user accounts. I've been trying to get one working reliably on 10.8 for a while now.
Andy, can you post exact details of the profile so we can have a look?
+14Profile looks like this
Again this working perfectly with our 10.7 and above clients. Thank you for help in advance!
+7I just went through this....the easiest way to make this work was to change the template on the CA to include the UPN in the subject alternative name. This resolves the whole "username" thing, by including that in the cert itself. We just duplicated the standard computer template, named it "Giant Eagle Macs", and checked that box. Theres a pretty decent writeup of this on the macenterprise Google Group at https://groups.google.com/forum/?fromgroups=#!topic/macenterprise/K1M5wl_dloQ
+14No .mobileconfig profiles do not work on 10.6.8 machines.
@bbergstein. Thank you for the info. As we roll out the 802.1x wireless for students next school year we will be using this method.
Meanwhile this year while the 10.6.8 teachers are using the wpa2e EAP-PEAP wireless with a login window profile and a system profile containing a generic login authenticated user. We made some changes to that login user on the Aruba controler, that we think were causing issues. Long story short we were making this way more complicated than it needed to be. Thanks for the cert info again.
+13Hi Andy, I'm trying to get the machine authentication work with OS X 10.8.2 clients and followed your configuration in the picture but it fails.
Do you have any other payloads configured on this? e.g.- "AD Certificate" payload
In my configuration I have;
Network payload with configuration exactly like yours
Certificate payload with AD certsrv CA certificate chain and wi-fi cert
I need to find out what i'm missing?
Thanks
Thusitha
+14Hey Thusitha, I dont have anything else configured in that profile. I would make sure to take a look at the google page that bbergstein mentioned above. Modifying our cert template is what really allowed us to make this work. Also make sure you are deploying the profile at a Computer Level.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.