Jamf Nation Community

jamesdurler · ‎10-15-2015

Hi guys,

We are deploying a configuration profile which contains a network payload and certificates. The aim is for machines connected by WiFi to be authenticated at the login window so that we can perform management tasks. (machine based authentication)

This works a treat. The machine authenticates and has an ip address. The problem I am having is that when a user logs in it doesn't seem to then pass through as the user - instead it stays stuck authenticated as the machine.

The reason this is a problem is because in our environment we have different VLAN's for staff and students. Say for example, a staff member logs in we want this profile to pass through these staff credentials and then move them into the correct VLAN so that they can get more access to stuff.

I had a brief look and saw someone mentioning a similar issue a while back but I seem to have lost that post now.....

I tried to get round this by applying a user level configuration profile alongside this machine level profile however they just seem to clash and knock the wifi permanently off.

Has anyone got experience or a solution to this problem?

jagress · ‎10-15-2015

What you're describing is exactly what I do too!

Did you make your profile in the JSS? If so, I don't think the option to do this is there. However, if you make the profile in Profile Manager, you can.

It's the "Use as a Login Window Configuration" checkbox that you're looking for. I believe the machine with Profile Manager installed on it has to be an Open Directory Master for this option to appear.

Hope that helps!

View solution in original post

jagress · ‎10-15-2015

What you're describing is exactly what I do too!

Did you make your profile in the JSS? If so, I don't think the option to do this is there. However, if you make the profile in Profile Manager, you can.

It's the "Use as a Login Window Configuration" checkbox that you're looking for. I believe the machine with Profile Manager installed on it has to be an Open Directory Master for this option to appear.

Hope that helps!

jamesdurler · ‎10-15-2015

Thanks for this i realised we were missing this option about 30 minutes after making this post ! haha :) Is there anyway to get rid of that annoying box that appears over the username / password

geoffreykobrien · ‎10-15-2015

This is what is available in the JSS

jagress · ‎10-15-2015

@jamesdurler I don't think you can get rid of that wifi selection box...

@geoffreykobrien Cool, I didn't see that in mine. I'm on 9.72 still, so maybe it was added later? But those def look like the options!

geoffreykobrien · ‎10-15-2015

im on 9.81

barnesaw · ‎10-15-2015

Is there anyway to get rid of that annoying box that appears over the username / password

Uncheck use as a login window config. I push machine-auth profiles out as a package to install so they will connect before login and don't rely on the JSS but are still signed.

jagress · ‎10-15-2015

@barnesaw I think @jamesdurler wanted the login window config though so that the machine reauthenticates as the user at login, so unchecking that box would get remove that functionality...

Kaltsas · ‎10-15-2015

I don't think OS X will do machine then user authentication, like windows does. I think the login window functionality assumes you are using user authentication with RADIUS.

jagress · ‎10-15-2015

In the config that I posted a screenshot of, OS X will authenticate at the login window as the machine. If you log in with an LDAP account, it re-authenticates as the user. If you log in with a local account, it will stay connected as the machine.

Jamf Nation Community

802.1x Machine Based Authentication Question