How to set up machine based authentication for 802.1x Wi-Fi

@ianmb We just moved to Casper this summer and in the past with DeployStudio we've used a .mobileconfig profile in combination with a custom script to get our laptops onto Wifi after they've been bound to our domain.

You can create the .mobileconfig profile with Apple Configurator, add any wireless certs your laptops might need in the profile, and then configure the wifi section with your network settings and the following username/password:

username = TESTUSER
password = TESTPASS

As part of our post-enrollment policies, we have the .mobileconfig profile installed in /Library/Scripts/Profiles and once installed run a script (pasted below) which acquires the hostname's password from Active Directory and replaces the TESTUSER and TESTPASS info in the mobile config profile to the computer hostname and the associated AD password.

On occasion, we do run into issues where for whatever reason the profile and script doesn't get the machine online. However, a reimage has always resolved the issue.

I am not the original creator of the script, but wanted to share it given our difficulty in using the JSS tools to get our laptops on our wireless network via machine auth.

Hope that's helpful!

#!/bin/bash

#####
# OSX Machine auth for 802.1x profile
# get AD machine user/pass and put into 802.1x profile template
# install the profile
#
# sed has it's own uses for '&' and '' in replacements
# and the randomly generated password sometimes has them
# So, trap and escape them before feeding into sed
#
# put the host name in 'host/computer name.yourdomain.com' format
##
# Originally by DP ~2012
# added traps and host name modification
# thp 7/16/14
#####

# Active Directory info here
PASS=`sudo /usr/bin/security find-generic-password -s "/Active Directory/YourADServerName" -w /Library/Keychains/System.keychain`
USER=`/usr/sbin/dsconfigad -show | awk '/Computer *Account/ { print $4 }'`

# trap '' and escape them
if [[ ${PASS} =~ '' ]]; then
PASS=$(echo "$PASS" | sed 's/\\/\\\\/g') 
fi

# trap '&' and escape them
if [[ ${PASS} =~ '&' ]]; then
PASS=$(echo "$PASS" | sed 's/&/\\&/g') 
fi

# trap '}' and escape them
if [[ ${PASS} =~ '}' ]]; then
PASS=$(echo "$PASS" | sed 's/}/\\}/g') 
fi

# format username as host name
USER=`echo $USER | tr -d '$'`
USER="host/${USER}.yourdomain.com"

# change template file
PROPATH='/Library/Scripts/Profiles'
PROFILE='Name_of_Your_Mobile_Config_Profile.mobileconfig'

sed -i .bak 's/TESTPASS/'${PASS}'/' ${PROPATH}/${PROFILE}
sed -i .bak 's/TESTUSER/'${USER}'/' ${PROPATH}/${PROFILE}
/usr/bin/profiles -I -F ${PROPATH}/${PROFILE}
rm -f ${PROPATH}/${PROFILE}.bak

@aporlebeke What happens when the AD computer password is updated?

Have you tried using the certificate based method? https://support.apple.com/en-au/HT204602

The certificate template for your Windows computers probably won't work. Macs don't put all the needed information into the certificate request, so you have to configure the template to build the information from Active Directory,

On Mountain Lion and higher Macs use he same protocols as Windows for getting certificates from ADCS.

On the ADCS (Active Dorectory Certificate Services) you need Server 2008 Enterprise or higher (2008 Standard doesn't support custom templates, 2008 Enterprise and up do.)

Create a Mac very template, set the Common Name to be generated from Active Direcory. Select User Principal Name, uncheck other options.

In Casper, setup a profile for 802.1x. Add the public root certificate for your Certificate Authority first, then configure obtaining the certificate from Active Directory, then you can setup your network adapters (Wi-Fi and Ethernet) to use the AD certificate for 802.1x authentication. Add your NPS (RADIUS) servers to the trusted servers in the network configuration. Wildcards
Are supported so you can do *.example.com to trust any RADIUS server in the example.com domain.

That's the extremely abbreviated I'm typing this on my iPhone version.

Just working my way through this white paper.

With Appendix C in mind, would it be acceptable to put $COMPUTERNAME in the Username field of the Network payload, rather than creating a new template?

And would it be OK to export a certificate issued to one of our Windows-based systems and upload that into the Certificate payload of the Configuration Profile? Or should the certificate come directly from the AD-CA?

@calumhunter We have not gone with the certificate method. Not clear on why, as I don't make those calls. This is just how we've done it in the past.

In answer to your question, we run a command on each machine to set the AD password interval to 0. We actually almost forgot to do this in our deployment, which is why I didn't mention it previously, which could have been bad as you might imagine ...

See below.

#!/bin/bash

dsconfigad -passinterval 0

exit 0

Fair enough, but I have never been in an organisation that doesn't have a policy that requires computer passwords to be updated on a regular basis, if machines have not updated their password within a set time frame ie 30 days they are removed from AD and of course will fail to authenticate.

Great workaround for machine authentication though

I have only been able to get a 802.1x cert manually at the moment because of an issue that it sounds like a lot of people are having. When trying to get the JSS to push out the cert, a bunch of people are getting "Failed to decrypt encrypted profile." and it will fail to deploy. I was able to get this done manually, but that would have to be done on any computer that you would want to be on the wireless network. After grabbing the root and intermediate certs from the cert server you should be able to grab and install the AD cert.

I've been told to use the certificate template that's used for our Windows-based laptops if at all possible, and that has the Service Principal Name (SPN) box checked. Our AD-CS is Windows Server 2008 Enterprise.

Is there anything else I need to do, beyond uploading the root and intermediate certs in the Certificate payload, and adding the relevant information to the General and AD Certificate payloads? I've checked the two Trusted Certificates in the Network payload and added the name of our RADIUS server to the 'Certificate Common Name'.

When installing the new profile, I get the error:

Profile installation failed.

The 'Active Directory Certificate' payload could not be installed. The certificate request failed.

@ianmb we use the same cert for our Macs & PC's via ADCS.

The thing to make sure of is that the in the request profile payload, use the cert templates name & not display name.

@bentoms Thanks. Can I just confirm that your template only has the Service Principal Name (SPN) option checked, and nothing else?

@ianmb you mean this?

@bentoms Actually ours looks slightly different (we use Windows Server 2008 R2?), and we have 'DNS Name' checked rather than SPN as I suggested earlier...

@ianmb yea. I think we're 2k8 only.

Hmm. I'd not trust our DNS for this. Haha. But that might just be our environment.

Sorry. I'm do know enough to offer you anything else atm.

@aporlebeke Are you still using the script above to do machine auth? We had been using that method with the perofile with 10.11, but it appears it doesn't work in 10.12. Just wondering if you were using it in 10.12. Thanks

@samtarr we use a network configuration profile configured with WPA2 Enterprise > PEAP enabled and enable "use Directory Authentication". The 10.12 computers appear to use the AD computer record credentials to obtain a network connection. We do need to add the trusted root cert in the profile as well.

@samtarr We are still using the script I posted on macOS Sierra 10.12.5. I've been testing it since 10.12.0 and haven't had any issues getting the profile installed or connecting to our Wifi.

Just wanted to chime in with some added tips.

We have machine authentication through Radius on AD bound machines. Recently, I noticed that machine based authentication wasn't working. We were still able to click "connect" by the 802.1x and user our AD logons to connect.

After a lot of troubleshooting, it turns out that we needed to add the certs for our Radius servers to the machines. I exported them, uploaded to our existing wifi config profiles, and updated the trust section to use those certs. Now it's all working as intended.

Thanks @debrat @aporlebeke and @coreythomas for your help. It did turn out to be a certificate issue. I think 10.12 is handling adding certs differently then 10.11 was. The certs were set to use system default and now with 10.12 I had to change them to always trusted. I have the script working again and tested the "use Directory Authentication" box which works as well. This should eliminate the need to disable our AD computer passwords changing.

So I am able to create a profile and pull down a machine cert from AD, Yay. I am also able to manually connect to our Wifi using this cert via EAP-TLS, Yay yay. I know the cert is valid and I can connect. When I attempt to deploy a profile with the WiFi network settings it fails to connect.
Mac OS 10.11.6+10.12.6
Our network guys are saying that it is not even trying to connect and it must be a config setting. This seems pretty straight forward, not sure what I might be missing.

I am using the following settings:
SSID: OurWifiNetwork (Matches SSID)
Hidden Network (No)
AutoJoin (No)
Proxy (None) Sec type (WPA2 Enterprise)
Use as login Window config (Unchecked)
Protocols: TLS
Identity Cert: AD Certificate. (Using the profile I configured that was confirmed to work)
TRUST: Added certs for root CA and Radius Server
Trust Exceptions: Checked (For now)

@jnice22 The AutoJoin (No) seems like the problem. Try switching that to yes.

@ryan.ball Gave auto-join a try. No luck. Thanks for the reply.

@jnice22 Have you run Directory Utility on that machine and verified it has an active binding to your domain?

@sdagley

Absolutely. I receive a notification and the system is rebound if it is not able to dscl . the AD domain within a certain amount of time.

Really odd that I can connect manually using the Machine Cert. I'm wondering if there is a config I can grab from the connected client to configure the settings in the jss?