AD machine auth for 802.1x in 10.6.8 ?

AndyBeaver
Contributor II

Has anyone successfully accomplished this? Works perfectly on 10.7+ using my config profile and $COMPUTERNAME for directory username.

1 ACCEPTED SOLUTION

bbergstein
New Contributor III

I just went through this....the easiest way to make this work was to change the template on the CA to include the UPN in the subject alternative name. This resolves the whole "username" thing, by including that in the cert itself. We just duplicated the standard computer template, named it "Giant Eagle Macs", and checked that box. Theres a pretty decent writeup of this on the macenterprise Google Group at https://groups.google.com/forum/?fromgroups=#!topic/macenterprise/K1M5wl_dloQ

View solution in original post

8 REPLIES 8

tkimpton
Valued Contributor II

Sorry please explain I don't understand

franton
Valued Contributor III

He has a configuration profile that allows AD authentication over Wifi for user accounts. I've been trying to get one working reliably on 10.8 for a while now.

Andy, can you post exact details of the profile so we can have a look?

AndyBeaver
Contributor II

Profile looks like this

external image link

external image link

Again this working perfectly with our 10.7 and above clients. Thank you for help in advance!

bbergstein
New Contributor III

I just went through this....the easiest way to make this work was to change the template on the CA to include the UPN in the subject alternative name. This resolves the whole "username" thing, by including that in the cert itself. We just duplicated the standard computer template, named it "Giant Eagle Macs", and checked that box. Theres a pretty decent writeup of this on the macenterprise Google Group at https://groups.google.com/forum/?fromgroups=#!topic/macenterprise/K1M5wl_dloQ

franton
Valued Contributor III

Wait a moment ... I missed this earlier. Do config profiles even work on OS X 10.6.x ?

AndyBeaver
Contributor II

No .mobileconfig profiles do not work on 10.6.8 machines. @bbergstein. Thank you for the info. As we roll out the 802.1x wireless for students next school year we will be using this method.
Meanwhile this year while the 10.6.8 teachers are using the wpa2e EAP-PEAP wireless with a login window profile and a system profile containing a generic login authenticated user. We made some changes to that login user on the Aruba controler, that we think were causing issues. Long story short we were making this way more complicated than it needed to be. Thanks for the cert info again.

Kumarasinghe
Valued Contributor

Hi Andy, I'm trying to get the machine authentication work with OS X 10.8.2 clients and followed your configuration in the picture but it fails.

Do you have any other payloads configured on this? e.g.- "AD Certificate" payload

In my configuration I have;
Network payload with configuration exactly like yours
Certificate payload with AD certsrv CA certificate chain and wi-fi cert

I need to find out what i'm missing?

Thanks
Thusitha

AndyBeaver
Contributor II

Hey Thusitha, I dont have anything else configured in that profile. I would make sure to take a look at the google page that bbergstein mentioned above. Modifying our cert template is what really allowed us to make this work. Also make sure you are deploying the profile at a Computer Level.