802.1x Machine Based Authentication Question

jamesdurler
Contributor

Hi guys,

We are deploying a configuration profile which contains a network payload and certificates. The aim is for machines connected by WiFi to be authenticated at the login window so that we can perform management tasks. (machine based authentication)

This works a treat. The machine authenticates and has an ip address. The problem I am having is that when a user logs in it doesn't seem to then pass through as the user - instead it stays stuck authenticated as the machine.

The reason this is a problem is because in our environment we have different VLAN's for staff and students. Say for example, a staff member logs in we want this profile to pass through these staff credentials and then move them into the correct VLAN so that they can get more access to stuff.

I had a brief look and saw someone mentioning a similar issue a while back but I seem to have lost that post now.....

I tried to get round this by applying a user level configuration profile alongside this machine level profile however they just seem to clash and knock the wifi permanently off.

Has anyone got experience or a solution to this problem?

1 ACCEPTED SOLUTION

jagress
New Contributor III

What you're describing is exactly what I do too!

Did you make your profile in the JSS? If so, I don't think the option to do this is there. However, if you make the profile in Profile Manager, you can.

4f3ae1b493904eceab66a153beca410d

It's the "Use as a Login Window Configuration" checkbox that you're looking for. I believe the machine with Profile Manager installed on it has to be an Open Directory Master for this option to appear.

Hope that helps!

View solution in original post

9 REPLIES 9

jagress
New Contributor III

What you're describing is exactly what I do too!

Did you make your profile in the JSS? If so, I don't think the option to do this is there. However, if you make the profile in Profile Manager, you can.

4f3ae1b493904eceab66a153beca410d

It's the "Use as a Login Window Configuration" checkbox that you're looking for. I believe the machine with Profile Manager installed on it has to be an Open Directory Master for this option to appear.

Hope that helps!

jamesdurler
Contributor

Thanks for this i realised we were missing this option about 30 minutes after making this post ! haha :) Is there anyway to get rid of that annoying box that appears over the username / password

geoffreykobrien
Contributor

69748aac9f4d454c8e8e06b717705043
This is what is available in the JSS

jagress
New Contributor III

@jamesdurler I don't think you can get rid of that wifi selection box...

@geoffreykobrien Cool, I didn't see that in mine. I'm on 9.72 still, so maybe it was added later? But those def look like the options!

geoffreykobrien
Contributor

im on 9.81

barnesaw
Contributor III
Is there anyway to get rid of that annoying box that appears over the username / password

Uncheck use as a login window config. I push machine-auth profiles out as a package to install so they will connect before login and don't rely on the JSS but are still signed.

jagress
New Contributor III

@barnesaw I think @jamesdurler wanted the login window config though so that the machine reauthenticates as the user at login, so unchecking that box would get remove that functionality...

Kaltsas
Contributor III

I don't think OS X will do machine then user authentication, like windows does. I think the login window functionality assumes you are using user authentication with RADIUS.

jagress
New Contributor III

In the config that I posted a screenshot of, OS X will authenticate at the login window as the machine. If you log in with an LDAP account, it re-authenticates as the user. If you log in with a local account, it will stay connected as the machine.