Skip to main content
Solved

802.1x Machine Based Authentication Question


Forum|alt.badge.img+8

Hi guys,

We are deploying a configuration profile which contains a network payload and certificates. The aim is for machines connected by WiFi to be authenticated at the login window so that we can perform management tasks. (machine based authentication)

This works a treat. The machine authenticates and has an ip address. The problem I am having is that when a user logs in it doesn't seem to then pass through as the user - instead it stays stuck authenticated as the machine.

The reason this is a problem is because in our environment we have different VLAN's for staff and students. Say for example, a staff member logs in we want this profile to pass through these staff credentials and then move them into the correct VLAN so that they can get more access to stuff.

I had a brief look and saw someone mentioning a similar issue a while back but I seem to have lost that post now.....

I tried to get round this by applying a user level configuration profile alongside this machine level profile however they just seem to clash and knock the wifi permanently off.

Has anyone got experience or a solution to this problem?

Best answer by jagress

What you're describing is exactly what I do too!

Did you make your profile in the JSS? If so, I don't think the option to do this is there. However, if you make the profile in Profile Manager, you can.

It's the "Use as a Login Window Configuration" checkbox that you're looking for. I believe the machine with Profile Manager installed on it has to be an Open Directory Master for this option to appear.

Hope that helps!

View original
Did this topic help you find an answer to your question?

9 replies

Forum|alt.badge.img+8
  • Contributor
  • 42 replies
  • Answer
  • October 15, 2015

What you're describing is exactly what I do too!

Did you make your profile in the JSS? If so, I don't think the option to do this is there. However, if you make the profile in Profile Manager, you can.

It's the "Use as a Login Window Configuration" checkbox that you're looking for. I believe the machine with Profile Manager installed on it has to be an Open Directory Master for this option to appear.

Hope that helps!


Forum|alt.badge.img+8
  • Author
  • Contributor
  • 58 replies
  • October 15, 2015

Thanks for this i realised we were missing this option about 30 minutes after making this post ! haha :) Is there anyway to get rid of that annoying box that appears over the username / password


geoffreykobrien
Forum|alt.badge.img+9


This is what is available in the JSS


Forum|alt.badge.img+8
  • Contributor
  • 42 replies
  • October 15, 2015

@jamesdurler I don't think you can get rid of that wifi selection box...

@geoffreykobrien Cool, I didn't see that in mine. I'm on 9.72 still, so maybe it was added later? But those def look like the options!


geoffreykobrien
Forum|alt.badge.img+9

im on 9.81


Forum|alt.badge.img+9
  • Valued Contributor
  • 138 replies
  • October 15, 2015
Is there anyway to get rid of that annoying box that appears over the username / password

Uncheck use as a login window config. I push machine-auth profiles out as a package to install so they will connect before login and don't rely on the JSS but are still signed.


Forum|alt.badge.img+8
  • Contributor
  • 42 replies
  • October 15, 2015

@barnesaw I think @jamesdurler wanted the login window config though so that the machine reauthenticates as the user at login, so unchecking that box would get remove that functionality...


Forum|alt.badge.img+16
  • Valued Contributor
  • 291 replies
  • October 15, 2015

I don't think OS X will do machine then user authentication, like windows does. I think the login window functionality assumes you are using user authentication with RADIUS.


Forum|alt.badge.img+8
  • Contributor
  • 42 replies
  • October 15, 2015

In the config that I posted a screenshot of, OS X will authenticate at the login window as the machine. If you log in with an LDAP account, it re-authenticates as the user. If you log in with a local account, it will stay connected as the machine.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings