802.1x Machine Authentication After In-Place Upgrade Issue

TAPerkins
New Contributor

Our environment currently has Casper Server 9.96, Cisco ISE 1.4 (currently not integrated), and have been unable to get our machines to machine auth to our network after being upgraded to 10.13 (This actually hasn't been working in our environment since 10.11.x). We also are having machine auth issues with 802.1x over ethernet as well. I have tried a few different things, and currently have an escalated ticket open with JAMF support, but I also wanted to make a post hear. Our environment uses PEAP (Machine) and TTLS (Mobile devices and Printers) for EAP protocols. I've read up about the TLS configuration information listed throughout JAMFnation and other sources. Nothing has worked to this point.

We are AD bound, and have two domains (Domain1 and Domain2). When the systems are connected and machine auth is passed (this has to be done on Non-Cisco ISE controlled ports) everything works fine, and will work fine on wireless using Domain1/Machinename. Post upgrade, and when trying to connect to a Cisco ISE managed port logs show that the machine cannot be found in AD, and is attempting to use Domain2/Machinename. I have been unable to find where the machine is pulling the Domain2 information from up to this point (I've looked in varying different log files to see if that domain is listed anywhere to no avail). Our Casper server is hosted on Domain2, and that is the only thing I can think of at this point.

I know that user auth on the config profile works with the auth at login box checked in the config profile; however, our networking team does not want to go that route. Any assistance would be greatly appreciated.

1 REPLY 1

boberito
Valued Contributor

So we have a bit simpler of a setup. But for years, post in place upgrade, we've run into 802.1x issues for our wireless setup. We don't have an 802.1x wired network, it's unauthenticated thankfully and just plugging into that for 10 seconds solves the wireless, nobody has an idea and we don't want to pay for enterprise apple support for that.

Sorry, this probably doesn't help much.