Machine AND User 802.1X Authentication?

libertyuniversi
New Contributor II

Has anyone successfully set up both types of authentication? What I am trying to accomplish:

  • This is a wireless-only lab.
  • As the machine sits on the login window it connects to our 802.1X wireless with machine Directory Authentication.
  • When a user logs in with AD credentials, it uses those to authenticate as a Login Window Configuration.

The reason behind this is we have many network rules set up based on username, but when no one is logged into the computer we still want it to get updates from the munki and JSS servers.

I created a Configuration Profile with both payloads and it defaults to the Login Window Configuration and ignores the Directory Authentication. When I test them by having only one at a time, they both work flawlessly by themselves. It is when they are both configured at the same time I have issues.

It does work if I use a non-.1X network and a .1X Login Window Configuration at the same time. I can create a Configuration Profile with two network payloads: one to connect to the non .1X SSID while on the login window and one to authenticate using the user's AD credentials when they log in. That works fine. This leads me to believe that it is unintended for it to fail when using two .1X payloads. I'd prefer to always have it connected to the .1X network, but we may have to do it this way.

10 REPLIES 10

Nix4Life
Valued Contributor

@LibertyJSS If you could share your Directory Authentication Profile that would be great. I can't seem to get this working and would like to compare

tia
Larry

libertyuniversi
New Contributor II

I generated the profile straight from the JSS so I did not add anything to the XML. My network team set up the Radius/AD side so I did not have to do much work except check the box for directory authentication.

Make sure to import and trust the certificate the radius server uses and check the box for the type of authentication protocol you are using.

Don't check the box for Login Window Configuration if you are using Directory Authentication.

If all that is correct it is probably an error on the Radius/AD side.

Nix4Life
Valued Contributor

It was a problem on the Windows side

Thanks

Larry

Sanchi
Contributor

Can I also add that in my case the problem was our JSS was not fully up to date.

We were on 9.65 and experiencing errors in machine authentication before upgrading to 9.82. Prior to this our Mavericks laptops were using the exact same profile normally with 9.65 where out Yosemite and ElCapitan laptops were failing to join our hidden network.

We simply upgraded the JSS and it's been working ever since.

In between that we rebuilt the profile in Profile Manager, tried several manual hacks, wiped and reimaged til we couldn't wipe no more. I read through many many posts, advice, tips, tricks JAMF advice and guidance over the phone but the simple fix was making sure the JSS was current.

Kumarasinghe
Valued Contributor

@LibertyJSS Have you got this working? We are seeing some issues with NPS and 802.1X.
Everything is working fine with Radiator but we are moving into NPS soon.

Thanks

Nix4Life
Valued Contributor

@Kumarasinghe Aww man I just left work. I do have this setup and working as per the OP. If it has not been solved today, i will follow up tomorrow. I know I had to preload all my certs in the config.

Nix4Life
Valued Contributor

@Kumarasinghe I followed your previous answer when I posted about a year or so as far as setting up the machine cert. Our windows server guy took Ill so I was left to revisit this on my own. I took a test machine and setup a login window profile. The observed all the certs that were added. There were 3 additional to the CA cert. I uploaded them to my mobileconfig along with the CA cert . I then created my profile with the settings below. The config is pulled down during imaging. Once the device is up, it grabs an ip. the machine is updated every evening on schedule just like the wired machines. 1st logins take about 45 seconds. I have used this on Macbook Pros/Airs and iMacs. this works as stated in Apple's 802.1X doc
Larry
dabe288c6f344ba0a9c52175c60f219c
184176a442b34b37bcf6584ed04d70d5
efc85bef495d4d778dd6ba0d8f575a8f
08291eecef994c9eb07b733c88f66620

Kumarasinghe
Valued Contributor

Thanks.

Our 802.1X config is working fine and initially we thought NPS settings might be the issue but we found that WLAN controllers having delays in DHCP assignment to OS X devices.

Did some tcpdumps and working together with network engineers to get it resolved. Thanks anyway.

bhouston
New Contributor

We're running 9.101.4 and I'm having difficulty getting this working. There's a product bug regarding the "Tick box" for Login Window Configuration. I guess it has appeared off and on through various versions of the Jamf. We are manually editing the mobileconfig file but are still having issues. Machine authentication works fine. We want to have the machine authenticate to 802.1x wifi then switch to the user authenticating against the wifi. Does anyone have this working on current versions of JamfPro?

joelee
New Contributor

@bhouston Did you get this working? We are working to solve the same setup issue. Machine Auth and then User Auth.