Posted on 07-27-2018 10:48 AM
We are using Cisco AnyConnect for network authorization with machine-based certificate authentication. This works when logged in with local admin but we are unable to log into the machine with domain credentials (despite being a domain joined machine with "create mobile accounts" option checked). it appears as though the network connection is lost upon logout or at least the machine is no longer postured which is prohibiting network access. This is identified by the Wifi signal showing empty at login screen and network accounts unavailable message.
Anyone had any success with getting Macs to attach to Wifi pre-login? We would like the machine to posture with AnyConnect (since it's using a machine cert) before login.
Posted on 07-27-2018 02:05 PM
You might want to read through this thread for some ideas:
https://www.jamf.com/jamf-nation/discussions/26097/mac-sierra-802-1x-wireless-before-login
Posted on 07-27-2018 05:57 PM
Is this only when you're users are attempting to log in for the first time? Our provisioning workflow requires our provisioners to be on our LAN or connected to WiFi AnyConnect during provisioning. Provisioning occurs as a local admin and then the provisioner logs out of the local admin and has the user log in as themselves. In almost all cases, this is done on the LAN but we have one office that has to use the WiFi VPN option. What we discovered is that this workflow would not work without an additional step. After provisioning was complete but before logging out of the local admin, Terminal was opened and "su username" was entered, prompting the user for their AD password and performing an initial transfer of the user and credentials between the Mac and AD while still on VPN. This extra step would then allow the user to login at the login screen even though AnyConnect was no longer connected. If that Terminal command wasn't entered, then the symptoms were similar to what you initially described. Afterward, all subsequent logins worked fine regardless of VPN connection because of being a mobile user. But like I said, this would only be relevant to you if your issues are on the initial login only.