802.1x wired authentication in MAC

@jayd.ch So we are using machine based authentication and therefore cannot use the login window for authentication.

The profiles are defined as system mode (made in profile manager and then signed before uploading to the JSS) and should connect automatically using EAP-FAST or EAP-TLS or even another method. And they do, as long as they are made in profile manager and signed before uploading.

However, the other issue (confirmed by Apple) is that the profile, in system mode, currently only applies to the first ethernet connection that Mac connects with. Be it be a thunderbolt-ethernet adapter or a dock connection and then when a 2nd or 3rd connection is attempted , the profile then goes back to User mode and prompts for credentials instead of automatically connecting.. even though the profile is still defined as system mode and has the system mode keys.

That's what we were referring to above.

According to Apple, it will be (most likely) fixed in 10.12.

I wouldn't say they've said it will be fixed, I've been told it has the ear of product engineering (finally). There were AD bugs in 10.10 that had the ear of product engineering that didn't get until several minor releases later. I am glad to see recent movement on this having had my case open with Apple for almost a year.

@perrycj So I think I figured out my problem, and have just spoke with the support engineer to confirm. The supplied script appears to work fine with Thunderbolt devices but does not resolve the System Mode/User Mode issue with USB to Ethernet Adapters. I'm glad I have figured out the reason for the flakey behavior I was experiencing. Thankfully I'm one of the only ones that has a USB to Ethernet Adapter, usually we recommend the TB (for obvious speed reasons).

I did make sure to ask about time frame for resolution with product engineering and it was indicated that there is currently no ETA for a permanent fix.

@Kaltsas That's great to hear. In my testing so far, it has been with the thunderbolt-ethernet adapters being the first ethernet connection and a targus dock via usb cable being the 2nd. So far, in limited testing I'll admit, it has been consistent and fixed the issue.

Apple Enterprise Support also told me the same thing although the support engineer asked me specifically for the number of affected Macs. I let him know it was in the 1000s and he assured me he would be in product engineering's ear.

Hi.
Do you guys have recent informations about this issue ?
I've done some testings today with macOS 10.12.4.
I may restore a Mac with an Apple Thunderbolt to Ethernet adapter or with a DELL USB 3.0 D3100 Dock.
So the first active Ethernet connection of the restored Mac may be the Apple adapter or the DELL dock...
What I tested today is that my NAC profile (EAP-TLS) is ok for the two situations... but the idea is that a Mac restored with one adapter should authenticate the same way with the other adapter. Actually I have a script that detects regularly new network hardware and configures the Proxy settings on it. Now I will see tomorrow if macOS is now able to apply my NAC settings to any first Ethernet connection whatever it is.
Best regards.

In 10.13.x look like com.apple.globalethernet.managed could be used. has anyone done with successfully?

Hi.
Yes. I'm actually using it in a context of a Profile Manager used to generate manually Network configuration profile.
The profile contains a Wi-Fi Payload and an Ethernet Payload applied to "all" Ethernet interfaces.
The 802.1X connection shifts automatically on the active Ethernet interface.
That was a long wait !
Best regards.

I'm presuming this is for 10.13 only? I'm seeing this problem (I suspect) on machines I have with 10.12. We haven't upgraded yet. I have a profile that works for wired ethernet, but I'm seeing problems with a few machines that have a thunderbolt dock in addition to a Dell usb-c dongle we've provided them.

Yes, it is for macOS 10.13.

By creating a custom profile where we limited the TLS version to 1.0, we were able to resolve this. Apparently, Apple has disabled SHA-1 ciphers in High Sierra. More info in link.

https://communities.cisco.com/message/279311#279311

Does anyone know if there is a way to script a disconnect/pause/reconnect of the 802.1x authentication?

10.13.Macs are not connecting on first try and then do not appear to respond to the ISE server. If I disconnect and reconnect then it works as planned. If I could script that to happen when an ethernet connection is detected that would work.

@ammonsc I'm looking at this also at the moment. My issue is when you start a FileVaulted Mac up with the ethernet cable connected The switch begins the 802.1x negotiation. From what I understand in our environment, this window is open for 30secs before it moves over to web authentication/wired MAB policies. By the time that the macOS has fully booted up, this 30 second window is over and the machine authentication doesn't complete. The only way to invoke the it is to physically disconnect the network cable and reconnect.

I'm thinking maybe a simple script to do the following at login:

#!/bin/sh
ifconfig en0 down
ifconfig en0 up

Did you manage to find a way to do this?

@Kaltsas did you get any solution for the reconnection of the 802.1x with an USB ethernet adapter?