Skip to main content
Question

Machine AND User 802.1X Authentication?


Forum|alt.badge.img+4

Has anyone successfully set up both types of authentication? What I am trying to accomplish:

  • This is a wireless-only lab.
  • As the machine sits on the login window it connects to our 802.1X wireless with machine Directory Authentication.
  • When a user logs in with AD credentials, it uses those to authenticate as a Login Window Configuration.

The reason behind this is we have many network rules set up based on username, but when no one is logged into the computer we still want it to get updates from the munki and JSS servers.

I created a Configuration Profile with both payloads and it defaults to the Login Window Configuration and ignores the Directory Authentication. When I test them by having only one at a time, they both work flawlessly by themselves. It is when they are both configured at the same time I have issues.

It does work if I use a non-.1X network and a .1X Login Window Configuration at the same time. I can create a Configuration Profile with two network payloads: one to connect to the non .1X SSID while on the login window and one to authenticate using the user's AD credentials when they log in. That works fine. This leads me to believe that it is unintended for it to fail when using two .1X payloads. I'd prefer to always have it connected to the .1X network, but we may have to do it this way.

10 replies

Forum|alt.badge.img+13
  • Honored Contributor
  • 550 replies
  • January 28, 2016

@LibertyJSS If you could share your Directory Authentication Profile that would be great. I can't seem to get this working and would like to compare

tia
Larry


Forum|alt.badge.img+4

I generated the profile straight from the JSS so I did not add anything to the XML. My network team set up the Radius/AD side so I did not have to do much work except check the box for directory authentication.

Make sure to import and trust the certificate the radius server uses and check the box for the type of authentication protocol you are using.

Don't check the box for Login Window Configuration if you are using Directory Authentication.

If all that is correct it is probably an error on the Radius/AD side.


Forum|alt.badge.img+13
  • Honored Contributor
  • 550 replies
  • January 29, 2016

It was a problem on the Windows side

Thanks

Larry


Forum|alt.badge.img+7
  • Contributor
  • 49 replies
  • January 29, 2016

Can I also add that in my case the problem was our JSS was not fully up to date.

We were on 9.65 and experiencing errors in machine authentication before upgrading to 9.82. Prior to this our Mavericks laptops were using the exact same profile normally with 9.65 where out Yosemite and ElCapitan laptops were failing to join our hidden network.

We simply upgraded the JSS and it's been working ever since.

In between that we rebuilt the profile in Profile Manager, tried several manual hacks, wiped and reimaged til we couldn't wipe no more. I read through many many posts, advice, tips, tricks JAMF advice and guidance over the phone but the simple fix was making sure the JSS was current.


Forum|alt.badge.img+13
  • Contributor
  • 400 replies
  • August 15, 2016

@LibertyJSS Have you got this working? We are seeing some issues with NPS and 802.1X.
Everything is working fine with Radiator but we are moving into NPS soon.

Thanks


Forum|alt.badge.img+13
  • Honored Contributor
  • 550 replies
  • August 15, 2016

@Kumarasinghe Aww man I just left work. I do have this setup and working as per the OP. If it has not been solved today, i will follow up tomorrow. I know I had to preload all my certs in the config.


Forum|alt.badge.img+13
  • Honored Contributor
  • 550 replies
  • August 16, 2016

@Kumarasinghe I followed your previous answer when I posted about a year or so as far as setting up the machine cert. Our windows server guy took Ill so I was left to revisit this on my own. I took a test machine and setup a login window profile. The observed all the certs that were added. There were 3 additional to the CA cert. I uploaded them to my mobileconfig along with the CA cert . I then created my profile with the settings below. The config is pulled down during imaging. Once the device is up, it grabs an ip. the machine is updated every evening on schedule just like the wired machines. 1st logins take about 45 seconds. I have used this on Macbook Pros/Airs and iMacs. this works as stated in Apple's 802.1X doc
Larry




Forum|alt.badge.img+13
  • Contributor
  • 400 replies
  • August 17, 2016

Thanks.

Our 802.1X config is working fine and initially we thought NPS settings might be the issue but we found that WLAN controllers having delays in DHCP assignment to OS X devices.

Did some tcpdumps and working together with network engineers to get it resolved. Thanks anyway.


Forum|alt.badge.img+2
  • New Contributor
  • 16 replies
  • January 10, 2018

We're running 9.101.4 and I'm having difficulty getting this working. There's a product bug regarding the "Tick box" for Login Window Configuration. I guess it has appeared off and on through various versions of the Jamf. We are manually editing the mobileconfig file but are still having issues. Machine authentication works fine. We want to have the machine authenticate to 802.1x wifi then switch to the user authenticating against the wifi. Does anyone have this working on current versions of JamfPro?


Forum|alt.badge.img+3
  • New Contributor
  • 5 replies
  • February 6, 2020

@bhouston Did you get this working? We are working to solve the same setup issue. Machine Auth and then User Auth.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings