Below is an email I just sent to my team updating my progress. I am currently building 802.1x profiles with machine certs in JAMF, downloading them and installing them manually. I am also performing the AD bind manually using Apple's built in tools. If you need more info, let me know. I think I covered everything, but my brain is a bit fried ;)
Machine certs and EAP-TLS works flawlessly with local MacOS user accounts.
However, the hiccup comes when logging in with a domain account.
- Once the login is up, the machine is on Corp Wifi via EAP-TLS, verified in ClearPass (RADIUS, NAC).
- A user enters their domain creds, MacOS disconnects from Corp Wifi and attempts to login to Corp Wifi with the supplied creds.
- MacOS will attempt this half a dozen times and then fail not logging the user in - verified in ClearPass (RADIUS, NAC).
- Sometimes it will fail over automamagically and authenticate the machine when user auth fails. If it doesn’t…
- The user needs to login (click the login arrow) again, MacOS will use the machine cert and connect with EAP-TLS and the user logins without issue. - Once at the desktop, MacOS again tries to use the user’s creds to connect to wifi, which fails - verified in ClearPass (RADIUS, NAC). - If the user manually connects to Corp Wifi by selecting it from the network menu, the machine authenticates with EAP-TLS.
So does it work? Yes, but with a terrible and unreliable user experience.
The switching to user authentication seems to be baked into MacOS. I have not been able to find a preference or a setting in JAMF that will override this, almost. There is a setting in the JAMF network payload called “Use as Login Window configuration.” My research has showed me this setting, if enabled, is what produces the above behavior (screenshot attached). However, no matter how I configure the payload, I can’t disable this option. Well, I can, but as soon as I hit save, it re-enables.
Thanks in advance for any and all help!