establishing 802.1x connection at login window

ljderek
New Contributor II

We are implementing 802.1x using Cisco ISE on the back end. Currently, the project is in a testing stage, so we are using very basic configurations on the client side. The protocols used are PEAP and MSCHAPv2.

 

I’ve created a configuration profile that enables PEAP in the login window context and deploys the certificate.

 

When this configuration profile is deployed, the 802.1x connection can be made manually in the Network system preference pane and it works as intended – prompting the user for credentials and placing the connection in the appropriate VLAN.

 

Our Macs are all joined to AD. We would like our users to authenticate to the 802.1x network at the login window. All the guides I found for this seem to imply that this is a basic configuration that should work with the settings I’ve deployed.

 

I’ve tried using ProfileCreator and Jamf to create the configuration profile with both producing the same results. The only thing I’ve really been able to try is adding the certificate payload the configuration profile. I’ve also tried checking off “Use Directory Authentication” to no effect.

These are the only settings being deployed in the configuration profile, besides the certificate.

 

Untitled.png

 

3 REPLIES 3

TheAngryYeti
New Contributor

To do this right you'll need a bit more than just a profile.  JAMF Integration with ISE as MDM - Cisco Communityhttps://community.cisco.com › kxiwq67737 › JA... this explains it right from Cisco.  The integration into Jamf solves your issue with making sure the device is compliant, this also will ensure that its one stop shop for the profiles. - https://docs.jamf.com/10.41.0/jamf-pro/documentation/Network_Integration.html?hl=cisco

thank you for this, we haven't reached this stage yet. Actually, I don't think we'll be using machine compliance. We're going to implement user-based roles (a user's group membership - in this case faculty, staff, IT) will determine which VLAN the machine is connected to.

I'm going to share this with our network admin to see about further MDM integration in the future.

you got it.....the profile route can be handled by ADCS in the PKI certificates portion of JAMF - this would define a trusted certificate that comes from the networking folks and can be defined with $user variable in the template for your purposes of 802.1x networking.  in theory with no certs, an AD bound machine should get the cert from the CS yet it would be generic unless you have a system that divides out traffic that based on the username, this will not work on 802.1x wireless, you would need a machine+user cert. to accomplish that.
https://community.jamf.com/t5/jamf-pro/802-1x-authentication-with-certificates/td-p/262303