Posted on 07-15-2013 01:56 PM
I am trying to setup 802.1X Wired Ethernet through config profiles and after I check Use Directory Authentication and click save, when I go back it is not there! Has anyone been successful at deploying Macs with a WIRED ethernet connection using 802.1x authentication w/root CA certificates using Casper?
We are using certs for 802.1.x authentication over Wireless fine but NOT with configuration profiles. I am looking to deploy wired using a mobile config file but it is not working.
Posted on 07-16-2013 12:11 PM
Yes, we use wired 802.1x with Directory Authentication here, so systems use their own Active Directory credentials to authenticate when plugged into the wired network. This is different from our wireless 802.1x which uses individual machine certs.
I don't deploy chain certs inside configuration profiles though, I install them to the keychain and set trust via script and put the whole thing into a package with a postflight script to do all the work. I find packages easier to handle and they can be installed in any context.
Can you confirm that you want to use the system's AD credentials for 802.1x auth on wired? It sounds like you may be trying to use certs for authentication, which is different from Directory Authentication and could explain why that option is deselecting itself.
Here is our config profile XML (slightly scrubbed):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AuthenticationMethod</key>
<string>directory</string>
<key>AutoJoin</key>
<true/>
<key>EAPClientConfiguration</key>
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>25</integer>
</array>
<key>OneTimeUserPassword</key>
<false/>
<key>SystemModeCredentialsSource</key>
<string>ActiveDirectory</string>
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
<key>UserName</key>
<string></string>
<key>UserPassword</key>
<string></string>
</dict>
<key>EncryptionType</key>
<string>Any</string>
<key>HIDDEN_NETWORK</key>
<false/>
<key>Interface</key>
<string>FirstActiveEthernet</string>
<key>PayloadDisplayName</key>
<string>Ethernet 1</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.company.wired8021xconf</string>
<key>PayloadType</key>
<string>com.apple.firstactiveethernet.managed</string>
<key>PayloadUUID</key>
<string>bcfc0490-c46e-012f-52da-442c030cc3db</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ProxyType</key>
<string>None</string>
<key>SetupModes</key>
<array>
<string>System</string>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string>Wired 802.1x Profile for Company wired networks</string>
<key>PayloadDisplayName</key>
<string>Wired 802.1x</string>
<key>PayloadIdentifier</key>
<string>com.company.wired8021x</string>
<key>PayloadOrganization</key>
<string>Company</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>8b825110-c46e-012f-52d8-442c030cc3db</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Posted on 07-17-2013 08:55 AM
Thank You Alex. The goal of our implementation is to have the machines authenticate to the wired network using the configuration profile. I see that you are passing credentials through the xml using TTLS/MSCHAPv2. Can this be done with PEAP? Is that a service account? What username and pass combo would be used in your instance?