File Vault and 802.1x Profiles

bwiessner
Contributor II

Is anyone using File Vault and also Radius / 802.1x profiles?

I am seeing weird things with trying to do the "Use as Login Window Configuration"

File Vault bypasses this and it wont show up unless you login as the File Vault user then logout.

In a perfect world I would like to use both -

Use as a Login Window configuration
&
Use Directory Authentication

with file vault enabled.

7 REPLIES 7

m_entholzner
Contributor III

You should give this a try:

defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool true

This will disable the FileVault autologin and show you the normal login window after authenticating for FileVault.

CGundersen
Contributor III

Above post (defaults command) is definitely relevant. That said, I've found the config profile does not always load recently with 10.11.2 and Profile Manager-generated (JSS-generated doesn't work at all). I've installed via APNS and manually. It seems we need a triple login (more often than not) these days to grab our 802.1x/WiFi. Perhaps something environmental as well introduced here.

edit: just a note that I've been using -bool YES/NO to control state

HT202842

defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

m_entholzner
Contributor III

A few months ago, we used 802.1x with username/password and had similar problems. In addition, waking up after sleep caused the WiFi in nearly all cases to fail. Among with other problems, we decided to switch to certificate based EAP-TLS authentication. All problems we had were instantly gone with this.

BTW, using "yes" or "true" in the defaults command is the same. You can use both of them.

CGundersen
Contributor III

@m.entholzner

When you were seeing issues with 802.1x, did you ever notice the config profile fail to load/register at Login Window (e.g. Network Interface selection doesn't appear ... only User/Password fields). That's new to us.

Reconnect on sleep went away for us with 10.11.x. Only took a OS release cycle.

YES/true NO/false ... yeah, shouldn't matter. I probably had a typo at one point and became superstitious. :)

m_entholzner
Contributor III

no, this is new for me too. There were only issues with the connection itself.

bwiessner
Contributor II

@m.entholzner

Do you have any documentation or write up on going cert based? Do you mean device cert based? Or?

Thanks in advance.

@jkosowsk @ChrisLeeSSD

m_entholzner
Contributor III

@bwiessner: yes, we are using machine AD certificates. there is a good documentation on afp548:
https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/