Help needed so Active Directory users can log into MacBooks on wireless

lrhodes
New Contributor II

I was wondering if any one has had any luck setting this up?

Basically were trying to get some MacBooks to always be logged on to an SSID with a config profile. That part works. We then want users to be able to log in using their Active directory logins, mount their home drives etc and give us visibility of who’s logging into the machine.

I already have the configuration profile set up so the mac is permanently connected to our chosen SSID. However, when you authenticate with your user details, rather than log on via AD (As we’d expect from an Ethernet connected and bound device.) It takes over the wireless log in and log’s in using the details from the user on the wireless.
 
Because of the switch in user details the wireless signal drops and then reappears meaning the authentication intermittently fails. On a good day it’ll work like a dream, I have managed to login 10 times in a row. On a bad day it takes 3 attempts to get in which isn’t great.
 
Am I right in thinking if the AD profile is set up correctly the machine will stay logged into the wifi with the user settings already configured in the network payload? Then the AD profile will handle logging into the machine and mount the home area etc?
 
Each time we attempt to install the AD config profile it fails. We get:
 
The 'Active Directory Certificate' payload could not be installed. The certificate request failed.  Make sure that RPC is enabled on the server.
 
And
 
-319 (The 'Active Directory Certificate' payload could not be installed. The certificate request failed.  Make sure that RPC is enabled on the server.)

RPC is 100% enabled otherwise AD wouldn’t be working.
 
I have been following this post:
 
https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/
 
AD server side we have followed a jamf nation discussion where they recommended doing the following:
 
“Make the OS X Machine authentication to RADIUS as well as Loginwindow authentication

1) First we have to download the CA certificate chain from Active Directory Certificate Service
  Go to: http://Your-AD-Server/certsrv/ and click "Download a CA certificate, certificate chain, or CRL"

2) Click "Download CA certificate chain" It will download a cert chain called "certnew.p7b"

3) Double-click the "certnew.p7b" to get it to "Keychain Access"

4) Double-click the imported Certificate (e.g- AD-CA1)

5) Expand "Trust"

6) Select "Alway Trust" for "When using this certificate" to trust this cert for all

7) Right-click on the certificte (AD-CA1) and select Export..

8) Export as (.cer) certificate and Save to Desktop

9) Go to Keychain and select Thawte Premium Server CA (this is only in our environment to trust the eduroam certificate so change settings to suite your Wi-Fi settings)

10) Export the .cer Certificate file to Desktop

11) Then we have to Create a new AD machine certificate template on the AD cert server . Easiest way of doing this is to duplicate the Windows Machine (named WorkstationAuthentication in our environment) template and name it for Mac

12) Right -click and select "Duplicate Template"

13) Select "Windows Server 2003 Enterprise"

14) Then Edit the Template as in the next step

15)

(i)Name it like "OSX Workstation Certificate" this will automatically create the Template Name without spaces. You should use the name without spaces in "AD Certificate" payload in JSS.

(ii) In the "Subject Name" field, tick "User principal name (UPN)" and untick all others for alternate subject name.

(iii) In the "Security" field, make sure you have privileges for Domain Computers to "Enroll" and "Read"
 
Even though I have followed the above post along with many other articles, we keep going round in circles and are getting nowhere fast. Is this something anyone out there has configured? If so I’d welcome any help and guidance.

We are using WPA2 enterprise 802.1x configuration.

Thank you in advance. 

5 REPLIES 5

Nix4Life
Valued Contributor

@lrhodes

I had the opposite problem, but the good folks here helped. Scroll down in this link to see my setup here. Off for holiday, but I can share my template tomorrow. I used that post by Mike and a few others to get it all working, but remember a different setting for the template

lrhodes
New Contributor II

@LSinNY Hi there, thanks for your response. Still no joy unfortunately. I have tried to split the two up. The network profile is separate from the AD one. If we add the AD payload it fails every time. Always getting the:

The 'Active Directory Certificate' payload could not be installed. The certificate request failed. Make sure that RPC is enabled on the server.

These macs will be in use as of the 24th and I never pictured it being this much of a pain to get them logging into AD over the wireless.

I have copied some of the settings that are relevant from your pictures but still nothing. Everything is 100% on the network and AD side (i'm told.)

Nix4Life
Valued Contributor

@lrhodes 1. have you enabled debugging as per the article
2.in step 13. We have it set to 2008 R2, ( we are in a 2012 domain)
3. see below for subject name settings

cb8cb164975a495a82378cca770cab10

lrhodes
New Contributor II

@LSinNY Hi thanks again for getting back. We have all this configured, only difference is we have it set to 2003 which we will change in our next step.

**1. have you enabled debugging as per the article

Which article, sorry I've looked at so many now! is this enabled my side or the AD side?

Thanks in advance...

Nix4Life
Valued Contributor

https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/