Mac 802.1X wired config issues.

dmitchell
Contributor

Our network team has started to roll out 802.1X port policies around campus. On the Mac side it's causing a bit of a problem. Our Macs are bound to AD so they should be passing credentials. I set up a config profile for 802.1X to our network teams specs. It works and doesn't work at the same time.

On my Mac for example, if I restart it, I don't get authenticated, I have to go into network settings and hit connect on 802.1X and then it's fine. Obviously this is a problem for users because they will not know what to do unless guided.

I have it setup as follows

Network Interface - Any Ethernet
Use as a Login Window configuration - Checked
Accepted EAP types - PEAP
Use Directory Authentication - Checked

Like I said, it works if I manually hit connect but I need it to authenticate at login. From what I understand I shouldn't need a config because macOS is supposed to pass this automatically but that also doesn't work.

Any advice?

7 REPLIES 7

sprattp
New Contributor II

Hello, we had a similar problem.

Under General we has to switch to Computer Level instead of User Level

Under Network Interfaces we had to switch to First Active Ethernet and checked Use as Login Window configuration

We are also using TLS rather than EAP and SCEP

In addition the username field in the Computer inventory need to match the user logging in (communal computers are a problem)

sbirdsley
Contributor

Also would look at this post I commented on as we had to make sure our 8021x could use a CA issued unique name cert (system SN#)

Not sure if same setup you are using but something that took a Apple Enterprise Support request to figure out (changing username to host/%ComputerName%.%AD_DomainNameDNS%)

dmitchell
Contributor

@sprattp

In addition the username field in the Computer inventory need to match the user logging in (communal computers are a problem)

Hmmm, that may be a problem for me. We actually don't use Jamf Pro for inventory, we have a separate system for that. The user name field in inventory is blank for all machines.

dmitchell
Contributor

@sbirdsley I looked at the post you linked, are you referring to the username field that comes up if you DON'T select "Use Directory Authentication"? If so, the password field is required. I would just put host/%ComputerName%.%AD_DomainNameDNS% in that username field or somewhere else?

sbirdsley
Contributor

@dmitchell The username filed is under the Network payload and TLS is selected, If not using TLS not sure if won't see this

92657363b1484759a32a5ea09b6ba4e2

dmitchell
Contributor

@sbirdsley Ah yes, PEAP is slightly different and requires a PW, I guess i'll need to talk to my network team or use a role account but that kind of defeats the whole purpose. 8898b1ebe44c47abb09d28e4c25d7378

KrisMallory
New Contributor III

I've had the best results with a config profile with the following:

  1. Certificate Payload with the root certs so there's never an issue with the AD payload.
  2. AD Payload, machine cert
  3. TWO Network payloads. -- The first, set to first active ethernet. -- The second, set to any ethernet. -- Both payloads set to use the the AD Payload Certificate, TLS, EAP-Fast
  4. Computer level.

With this set up, I've been able plug in any ethernet adaptor in any port, unplug and move ports, change to a different adaptor model, plug in the same or different port, even plugging in two adaptors at once.

Previously I've tried to only use Any ethernet or a first active config and ran into occasional issues with connection loss or reconnecting when some users plug in and disconnect often. It seemed more likely to happen if they did not always use the same thunderbolt port or grabbed a different adaptor model.