Help

Mac 802.1X wired config issues.

dmitchell
Contributor

Posted on ‎07-12-2018 08:49 AM

Our network team has started to roll out 802.1X port policies around campus. On the Mac side it's causing a bit of a problem. Our Macs are bound to AD so they should be passing credentials. I set up a config profile for 802.1X to our network teams specs. It works and doesn't work at the same time.

On my Mac for example, if I restart it, I don't get authenticated, I have to go into network settings and hit connect on 802.1X and then it's fine. Obviously this is a problem for users because they will not know what to do unless guided.

I have it setup as follows

Network Interface - Any Ethernet
Use as a Login Window configuration - Checked
Accepted EAP types - PEAP
Use Directory Authentication - Checked

Like I said, it works if I manually hit connect but I need it to authenticate at login. From what I understand I shouldn't need a config because macOS is supposed to pass this automatically but that also doesn't work.

Any advice?

Reply
7 REPLIES 7

sprattp
New Contributor II

Posted on ‎07-12-2018 09:01 AM

Hello, we had a similar problem.

Under General we has to switch to Computer Level instead of User Level

Under Network Interfaces we had to switch to First Active Ethernet and checked Use as Login Window configuration

We are also using TLS rather than EAP and SCEP

In addition the username field in the Computer inventory need to match the user logging in (communal computers are a problem)

Reply

sbirdsley
Contributor

Posted on ‎07-12-2018 09:39 AM

Also would look at this post I commented on as we had to make sure our 8021x could use a CA issued unique name cert (system SN#)

Not sure if same setup you are using but something that took a Apple Enterprise Support request to figure out (changing username to host/%ComputerName%.%AD_DomainNameDNS%)

Reply

dmitchell
Contributor

Posted on ‎07-12-2018 10:22 AM

@sprattp

In addition the username field in the Computer inventory need to match the user logging in (communal computers are a problem)

Hmmm, that may be a problem for me. We actually don't use Jamf Pro for inventory, we have a separate system for that. The user name field in inventory is blank for all machines.

Reply

dmitchell
Contributor

Posted on ‎07-12-2018 10:29 AM

@sbirdsley I looked at the post you linked, are you referring to the username field that comes up if you DON'T select "Use Directory Authentication"? If so, the password field is required. I would just put host/%ComputerName%.%AD_DomainNameDNS% in that username field or somewhere else?

0 Kudos
Reply

sbirdsley
Contributor

Posted on ‎07-12-2018 12:56 PM

@dmitchell The username filed is under the Network payload and TLS is selected, If not using TLS not sure if won't see this

92657363b1484759a32a5ea09b6ba4e2

Reply

dmitchell
Contributor

Posted on ‎07-12-2018 01:29 PM

@sbirdsley Ah yes, PEAP is slightly different and requires a PW, I guess i'll need to talk to my network team or use a role account but that kind of defeats the whole purpose. 8898b1ebe44c47abb09d28e4c25d7378

0 Kudos
Reply

KrisMallory
New Contributor III

Posted on ‎07-13-2018 05:33 AM

I've had the best results with a config profile with the following:

  1. Certificate Payload with the root certs so there's never an issue with the AD payload.
  2. AD Payload, machine cert
  3. TWO Network payloads. -- The first, set to first active ethernet. -- The second, set to any ethernet. -- Both payloads set to use the the AD Payload Certificate, TLS, EAP-Fast
  4. Computer level.

With this set up, I've been able plug in any ethernet adaptor in any port, unplug and move ports, change to a different adaptor model, plug in the same or different port, even plugging in two adaptors at once.

Previously I've tried to only use Any ethernet or a first active config and ran into occasional issues with connection loss or reconnecting when some users plug in and disconnect often. It seemed more likely to happen if they did not always use the same thunderbolt port or grabbed a different adaptor model.

0 Kudos
Reply