AD Conntection (WiFi) befor Login

ds_support
New Contributor III

Hello Jamf-Community,

Since a few days, we are use Casper Suite. We are useing a Active Directory but we have a problem with the AD Connection at the Login.

How I can conntect to the WiFi in the Login Screen? At the moment we need a Ethernet Connection to get all Policies. If the Macbook is not connected by Ethernet, he use the Mobile Account and after the login he connected to the Wifi. Befor we can start the enroll we need to fix this issue, that we get a Wifi Connection on the Login Screen. We use a WPA2 Enterprise Wifi, it is connected to our AD for a easy login.

Maybe everyone can help me to fix this issue?

Many Thanks
Christian

1 ACCEPTED SOLUTION

apizz
Valued Contributor

We have custom solution at our shop in order to achieve something close to Windows machine authentication, rather than user authentication to ensure our computers are connected to our network at the login window.

This involves installing a DMG in a known location which contains a configuration profile which has our certs and an account with the username TESTUSER and the password TESTPASS. After install we have a script generate a random password (security find-generic-password), replace the TESTUSER with the computername from AD (dsconfigad) and TESTPASS with the randomly generated password, and then installs the profile. We've used this since 2014 with success.

If this sounds like something you'd be interested in @c.knipping let me know and I'll post it here.

View solution in original post

10 REPLIES 10

RogerH
Contributor II

@c.knipping 49daa01b4d5a4850a585c707f2876462
its in the network payload but you have to scope it to the computer level.

RogerH
Contributor II

@c.knipping hope this helps

jconte
Contributor II

We used certificate based authentication for wireless and have no issues. We can login with our AD credentials and everything runs as if it was wired.

ds_support
New Contributor III
We used certificate based authentication for wireless and have no issues. We can login with our AD credentials and everything runs as if it was wired.

Many Thanks, I try this option! If it work I send a Feedback next days.

davidacland
Honored Contributor II

@c.knipping

We've done this quite a few times for our customers. In every case there has been a different challenge. Certificate templates and permissions, incompatibilities with the authentication server etc.

The basic setup will require a profile to get an AD certificate and deploy a wireless profile using the certificate for authentication.

Ideally you'll get some input from the person looking after the CA server and the person looking after the wireless network and RADIUS service as there is often a bit of troubleshooting involved.

Not applicable

We have just been through this and solved this by having our CA certificate for our RADIUS on the profile and ticking the use login window configuration

apizz
Valued Contributor

We have custom solution at our shop in order to achieve something close to Windows machine authentication, rather than user authentication to ensure our computers are connected to our network at the login window.

This involves installing a DMG in a known location which contains a configuration profile which has our certs and an account with the username TESTUSER and the password TESTPASS. After install we have a script generate a random password (security find-generic-password), replace the TESTUSER with the computername from AD (dsconfigad) and TESTPASS with the randomly generated password, and then installs the profile. We've used this since 2014 with success.

If this sounds like something you'd be interested in @c.knipping let me know and I'll post it here.

simonep
New Contributor III

Yes, I would be interested in you posting your solution. Many thanks!

chad_fox
Contributor II

@aporlebeke I'd be interested as well. Thanks!

apizz
Valued Contributor

Below is the script we use. This is something my shop came up with and has worked successfully. Rarely, we'll have an issue where for whatever reason it doesn't properly enter the computer AD hostname and randomly generated password in the configuration profile, but we have a policy setup in Self Service so that we can run a script to uninstall the profile and remove the dmg, and then reinstalls the DMG and reruns the script. Again, happens VERY rarely but something we've developed a quick fix for.

I did not personally create the script OR the config profile. There are tools out there such that you could create a config profile that contains the certs and other information computers in your environment need to connect to Wifi. The script below requires TESTUSER and TESTPASS to be the entered username/password in the config profile.

#!/bin/bash

#####
# OSX Machine auth for 802.1x profile
# get AD machine user/pass and put into 802.1x profile template
# install the profile
#
# sed has it's own uses for '&' and '' in replacements
# and the randomly generated password sometimes has them
# So, trap and escape them before feeding into sed
#
# put the host name in 'host/computer name.YOURDOMAIN.com' format
##
# Originally by Dan P ~2012
# added traps and host name modification
# thp 7/16/14
#####

PASS=`sudo /usr/bin/security find-generic-password -s "/Active Directory/YOURDOMAIN" -w /Library/Keychains/System.keychain`
USER=`/usr/sbin/dsconfigad -show | awk '/Computer *Account/ { print $4 }'`

# trap '' and escape them
if [[ ${PASS} =~ '' ]]; then
PASS=$(echo "$PASS" | sed 's/\/\\/g') 
fi

# trap '&' and escape them
if [[ ${PASS} =~ '&' ]]; then
PASS=$(echo "$PASS" | sed 's/&/\&/g') 
fi

# format username as host name
USER=`echo $USER | tr -d '$'`
USER="host/${USER}.YOURDOMAIN.com"

# change template file
PROPATH='/path/to/config/profile/template'
PROFILE='name_of_config_profile.mobileconfig'

sed -i .bak 's/TESTPASS/'${PASS}'/' ${PROPATH}/${PROFILE}
sed -i .bak 's/TESTUSER/'${USER}'/' ${PROPATH}/${PROFILE}
/usr/bin/profiles -I -F ${PROPATH}/${PROFILE}
rm -f ${PROPATH}/${PROFILE}.bak

exit

Fix script that uninstalls profile and deletes the config template file. You'll need the profileIdentifier of the config profile that you want to delete:

#!/bin/bash

# Uninstalls faculty machine auth profile based on its profileIdentifier
sudo -u root profiles -R -p name.of.configprofile.profileIdentifier

# Deletes previously installed faculty machine auth profile
sudo rm -rf /path/to/config/profile/template/name_of_config_profile.mobileconfig

exit