Skip to main content
Question

802.1x User Authentication Config Profile issues

A
Forum|alt.badge.img+5

Hello Everyone,

I was wondering if anyone else has worked with this? I am running into a perplexing issue in which the users are not able to log into a laptop with their AD accounts wirelessly. I have the machines bound to the network and I am able to log into a machine with AD credentials when connected with Ethernet. If I attemped via wireless it will not log into the user IF there is no profile. It seems the portion which it validates the user then creates the mobile account isnt cooperating with me.
Here is the environment I have; Active directory accounts, 2 RADIUS servers configured for User authentication with PEAP. I have the workstations in a group that receives this config profile:

It's deployed at computer level.
Network payload
interface set to wifi. set to Auto Join configured SSID
no proxy
WPA2 enterprise
Checked "Use as a login Window configuration"
Security settings: Protocol: PEAP
UNCHECKED Directory AUthentication
Username: LDAPuser
no identity cert
no outer identity.
Login Windows Payload
checked show additional information in menu bar
selected "List of users able to use these computers"
checked local users, mobile accounts, computer admins, other.
under access tab, I have our VLAN groups added to the Allow section.
I have also a CA cert loaded into the the config profile as well.

Essentially I need the users info to authenticate them to the correct VLAN and create their account on that laptop. I have also tested the wireless setup by using a WPA personal configured SSID and it allows the user to log in and it created the profile with no issues. This does not help because then the user is on the wrong vlan.

    6 replies

    M
    Forum|alt.badge.img+7

    I am interested to see the outcome of this. I need to use 802.1x, EAP chaining and AD certificates for 2 factor auth. Currently waiting for a hot fix to be applied to one of our CAs so that the AD Certificate payload will work properly.

    P
    Forum|alt.badge.img+12
    • pat_best
    • Contributor
    • 150 replies
    • August 4, 2014

    I see that you have stated your selection for protocols (peap) but no mention of trusted certs? In my configs, I do not put "LDAPuser" in the username field but I do use the directory authentication option. If you are binding the computer to AD, one other thing to consider is that it was mentioned in another post in JAMF Nation (can't find it right now) that when binding the computer, try to bind it directly to the target OU and not bind then move it. Hope this helps a little!

    O
    Forum|alt.badge.img+14
    • ooshnoo
    • Honored Contributor
    • 351 replies
    • August 5, 2014

    We have roughly the same setup in our 802.1x profile as you do with the exception of the username field, which we leave blank. We also do not use a Login Window payload and have no issues connecting. Do you actually leave an entry filled in for the username field and deploy the profile with it, or no?

    A
    Forum|alt.badge.img+5

    The "LDAPuser" is a management account I use to keep the machine logged in prior to the user logging in. I also had to add a trusted cert to the machine to get things working properly.
    Essentially this got me up and running.
    Trusted cert, management account to keep machine logged in when user has not logged in. When a person logs in, the authentication switches to them and puts them down the right VLAN. May be an odd deployment but it's working for me.

    P
    Forum|alt.badge.img+12
    • pat_best
    • Contributor
    • 150 replies
    • August 7, 2014

    Why do you prefer to use a static LDAP account vs the computer directory authentication? Does it work better in your environment? Have you had a chance to edit your binding (if it isn't set this way already) to put your computers directly to their working OU? In a passing thought, is your mac computer OU nested? I think we were having problems due to that, but it has been a long time since then and I may be wrong....

    A
    Forum|alt.badge.img+5

    I was having the static account during the login screen to keep the device connected wirelessly for management purposes. the config would still use the users information to re-authenticate and put them on the right VLAN once they reached their desktop. I did it this way because when I attempted to use directory authentication, it would always push an error that the account was not valid even though the machine was bound to the network.

    As for the OU situation. I had the binding put the machine in it's proper OU so I would not have to move them later. This is working properly.

    The only problem I had with this layout is if there was ever a time in which the wireless was interrupted for the user, it was rely on the system ldap account and reconnect. This is a problem because it would lay them into the wrong VLAN while they were logged on.

    I ended up scrapping this idea and now working on computer certs that require user auth at login to see if this will work better.

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings