802.1x Machine and user Auth

Contributor II

Hi All,

I am trying to get our computers to use Machine authentication while logged out and then when a user logs in it changes to user authentication.
I know I can set a device auth using profile manager and certificates and also user authentication without profiles as the auth prompt happens after login
I have read several different articles: "It’s possible to use System Mode and Login Window Mode together." "If you have configured a System profile in your location, do not add a User or Login Window profile to that same location."
funny thing is these both quotes come from different Apple documentation....
The whole Idea is:
when a user logs on they might get a IP, they log out and machine gets a IP,

if a staff member logs in they might get a IP and when logged out the machine will be sent to a IP.

All this works on a Windows machine fine..... Dam Windows....

Any other machines like BYOD will be sent another IP.

So that any BYOD machines while they will have access to the network it will be limited and not have access to other devices in other groupings
What I have found though is no matter how I set it up the macs will revert back to the "BYOD" IP address after they logout of a user.

While a authenticated user is logged in the IP address change works fine once authenticated after login
While I have a certificate based system profile the IP stays the same no matter who is logged in.
Which is what I had expected to happen

Have tried this:
(Adding $COMPUTERNAME to the authentication name field and leaving the password blank)
but it will not send computer name to the switch doing the IP changes but rather the MAC address, which is a start as previously it was sending no information

Any Ideas?

Can I use the two methods of authentication together?


Valued Contributor

+1 this is relevant to my interests

Contributor III

I'm wondering about this as well (being able to have machine authentication at the login window, then switch over to user authentication after the user logs in).

Is this possible, or just a pipe dream?

New Contributor II

Did anyone ever figure this out?


I'm also interested in doing the same thing.

Release Candidate Programs Tester

Very interested in this too

New Contributor II