802.1X Wireless with AD bound Machine Authentication

wlevan
New Contributor III

We are using 802.1X Wireless with AD Bound Macs. I am unable to get it to Use the Machine AD Account in the KeyChain that gets added when you Bind to AD. If I look at the account in the KeyChain and grab the user name and password, I am able to manually login to the Wireless as the machine AD Account but it never pulls the user name and password automatically. I have looked at the articles but some are using certificates, some aren't bound to AD. I am bound to AD and I just want to use PEAP and have it use the account and password it already knows about.

Please help.

7 REPLIES 7

wlevan
New Contributor III

Figured it out. You need to add the Cert that you would normally get when you signed in manually. Add it to the policy and make it trusted.

user-jNTfTPgEvG
New Contributor

In this guide, IEEE 802.1X Authenticated Wireless Access with PEAP-MS-CHAP ... Active Directory Domain Services (AD DS) Users and Computers. ... A client computer trusts a CA when the CA certificate is installed in the Trusted Root ... Activities of a certification authority can include binding public keys to

user-jNTfTPgEvG
New Contributor

Thanks for the update and quick reply. I'll be sure to keep an eye on this thread. Looking for the same issue. Bumped into your thread. Thanks for creating it. Looking forward for solution.

user-jNTfTPgEvG
New Contributor

Glad you like it. We have been using this for several weeks now and it seems to be going nicely. I also have this same question and i cannot find any proper answers on the internet and also here. need solution.

AJPinto
Honored Contributor II

We are having a similar issue and had to loop in JAMF support, we use machine certificates with WPA2 encryption over user certificates though. We hit a hard block with some stuff with our radius servers due to a transition with our CA earlier this year and are stuck until that fully finishes. Unfortunately in short this is a total mess and JAMF does not have a lot of documentation on it.

perryd84
Contributor II

I'm having a similar issue.

We have all the certs in place and the network config profile is set to use the correct cert but once the device is plugged into a secure ethernet port the CA server gives the device an AD certificate but the connection drops and the user is prompted to select the certificate to use.

Obviously the user cancels this or selects the wrong cert and it bombs out.

Any ideas how to force the machine cert to be used?

On a side note we also have JAMF Connect builds which are not domain bound anymore and they work perfectly but we do have a need for certain devices to be bound still.

user-JonkYeGnIs
New Contributor

JAMF newbie here. I'm a Network Engineer and never worked with JAMF before. MacBooks on my company are managed by JAMF through a third party company. I'm trying to understand how a MacBook is sending 'computer' credentials to the radius server (ISE in this case)

For example, my MacBook is domain joined and can connect to the Wi-Fi using PEAP-MSCHAPv2. We only do computer authentication so, the name of the computer (username) is sent out to the radius server alongside the password. Can you please explain how this is configured through JAMF? How does Mac knows which credentials to sent? My understanding is that when we join a Mac to AD, a password is created automatically and saved in Keychain. Is this right? I have a 802.1X profile under Network > Wi-Fi > 802.1X but it only has protocol information and the certificates. I couldn't find anywhere about the credentials.

Thanks in advance