802.1x Machine Pre-auth Questions

Valued Contributor II

My infrastructure is finally configured to support 802.1x machine auth. I'm excited to deploy. Im late to the party but I finally made it.

Final testing is in progress now. Im trying to test every scenario that might happen once in production. My Jamf 802.1x profile seems to work most of the time, but there are a few scenarios that fail during testing.

1) Laptops running FileVault 2 don't authenticate until the user logs in (no machine pre-auth). I assume I have to disable login window pass-through to allow FV2 and 802.1x to peacefully co-exist. This will make users authenticate twice. Is this correct?

2) If I reboot my Mac laptop, 802.1x works 100% of the time. But if I simply log out (not reboot) and attempt to log in again, I get the red dot warning "No network accounts available" message in the login window.

3) Does the wi-fi interface need to be at the top of the Service Order list in the Network preference pane? I have noticed that if the interfaces are in the wrong order, there might be times when a I cant use Wi-fi or Ethernet, and thus I am forced to use cached credentials (or I am 'locked-out' of laptop). If this is the case - how do you for Mac laptops to use Wi-fi before other interfaces? Script? Profile? Policy?

4) If the 802.1x says "connected" in the Network preference pane GUI, does that mean the computer is authenticated, or that the end user is authenticated?

4) Do you manage 802.1 from a dedicated Network Location Set?

My environment is fairly vanilla:

-Jamf 10.3..1
-Mostly macOS 10.12 & macOS 10.13
-AD (2012 R2 functional level)
-Manage Mobile accounts
-Cisco ISE Radius and WLC
-Profile has (2) payloads: AD Certificate payload and Network settings payload (WPA2 Enterprise & PEAP/TLS)
-All Macs already have my PKI certificate server trust chain in the System Keychain


New Contributor III
  1. Yes, your users will have to authenticate twice FileVault prevents auto login.

  2. If your accounts are "Managed and Mobile". This should allow for login regardless of network connectivity. In addition check the following - System Preferences > Network > Advanced ---Under the 802.1x tab, confirm "Enable automatic connection" is checked.

  3. Our 802.1x policy is only for Ethernet connections. We allow our customers to turn Wi-Fi on/off. You can configure priorities by going to System Preferences > Network. Click the gear drop down and select "Set Service Order", proceed to move Wi-Fi up.

  4. The Computer is authenticated.

  5. Yes our 802.1x is managed from a dedicated Network Location.

Are you familiar with Enterprise Connect? This is a great application that will authenticate your users to AD. This is another method we use for network accounts. I hope I was of some help. Good Luck!!

Valued Contributor II

Thanks @bbracey

  1. Gotcha. I figured that was the case due to the disk being encrypted at the point in boot/login process (chicken-and-egg).

  2. I understand, but most users here have multiple computers, so its possible a user has changed AD password on Mac/PC desktop, and their Mac laptop is at home. Next time they bring Mac laptop it would be nice to have 802.1x allow user to verify/sync AD password at Login Window, rather than having to log in with a "stale" cached Keychain password (this is my end-user's biggest complaint here)

  3. Im not sure how I will approach this. Some Mac laptop users have Ethernet ports/dongles and others prefer to be 100% wireless if possible. So managing the Service order will take research and planning as it may cause unexpected/undesirable results for certain laptop users.

  4. Are your Location Sets configured at imaging/deployment/onboarding time or dynamically pushed via profile/policy?

Yes - I have budgeted for Enterprise Connect but it hasn't made the cut with management yet. I do have NoMAD deployed on most newer systems (replaced ADPassMon). Mainly used for password expiration notifications and it helps with users who call Help Desk complaining about SSO (Kerberos) not working (mostly laptop users that come and go from the LAN and never reboot and thus TGTs get stale)

New Contributor III

@dstranathan Did you manage to deploy the 802.1x(PEAP) for wired LAN ? if Yes can you pls share the details. For me configuration profile is unable to request the certs from our internal windows CA server.

Valued Contributor II

@Santosh We don't use 802.1x for wired Ethernet - sorry. And we are removing PEAP soon on our WLAN (using only TLS)