Machine authentication problems

mscioscia
New Contributor

My end goal is to get Macs on the domain so they can send a cert request to the Windows CA and then pull down the user cert to the machine. The part I am having a problem with at the moment is using Machine Authentication over wireless to get the Macs able to log in to the domain. I built a profile and for the Username I put in host/%ComputerName%.ourdomain.com because this is the format that our RADIUS server expects to see. The problem I have is with the password. If I leave it blank the connection times out and I don't get connected to wireless. Everything I have found on this says that this is the right way to do it. To narrow down the problem I got the AD Machine password and entered that directly into the profile. This gets the machine on the wireless using Machine authentication so any Domain user can then log in. The problem though is I see no way to make the password variable or to tell the profile to use the machine's AD password so that this profile can work for all users. I have tried with 'Use Directory Authentication" both checked and unchecked and I get the same result. Any ideas?

16 REPLIES 16

RobertHammen
Valued Contributor II

Can you use a wired port to get the machine bound to AD/get the machine cert? You can then deliver a cert on to the device via Configuration Profile, as outlined in the Apple KB article below:

https://support.apple.com/en-us/HT5357

Just be aware that when doing this at enrollment, it will try to push the profile down BEFORE the device is bound to AD, leading to failure. What I had to do was bind to AD first then execute a script that creates a dummy receipt, then does a recon. The AD CA/Network profile cert can be scoped to a Smart Group of computers that have that dummy receipt...

mscioscia
New Contributor

The thing is, I need Machine auth to work on wireless so domain users can login to the machine regardless of wether they have logged in previously or not. It appears that jss is not working the way it is described as it is not sending the machine password the RADIUS server unless it is entered explicitly in the profile.

alexjdale
Valued Contributor III

There is a way to tell the OS to use its own AD credentials to auth. Here is a snippet from our wired 802.1x profile (note the empty username/password):

<key>AuthenticationMethod</key>
            <string>directory</string>
            <key>AutoJoin</key>
            <true/>
            <key>EAPClientConfiguration</key>
            <dict>
                <key>AcceptEAPTypes</key>
                <array>
                    <integer>25</integer>
                </array>
                <key>OneTimeUserPassword</key>
                <false/>
                <key>SystemModeCredentialsSource</key>
                <string>ActiveDirectory</string>
                <key>TTLSInnerAuthentication</key>
                <string>MSCHAPv2</string>
                <key>UserName</key>
                <string></string>
                <key>UserPassword</key>
                <string></string>
            </dict>

RobertHammen
Valued Contributor II

What is your RADIUS server? I have 2 clients using Cisco's ISE. For them, at least with ISE 1.3, all we need to do is enter host/ in the username field.

I have run into issues with 802.1x profiles for Wired networks not working 100% out-of-the-box. The unfortunate issue is that JAMF does not have an AD/802.1x/ISE environment to test. Difficult for them to support all of the possibilities out there. You may have to end up hand-coding a profile (which you can still upload and deploy using the JSS). I haven't gone down this path yet, but may do so. Suspect there may be more than one up on Github...

https://developer.apple.com/library/mac/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html

mscioscia
New Contributor

We are using Aruba Clearpass as our RADIUS server. The issue seems to be that when I don't explicitly define the AD Password in the profile it just times out on the RADIUS server. This is what I get Error Code: 9002 Error Category: RADIUS protocol Error Message: Request timed out Alerts for this Request RADIUS Client did not complete EAP transaction

alexjdale
Valued Contributor III

We use Cisco ISE for wired 802.1x and as long as the profile indicates to use "directory" authentication and "ActiveDirectory" as the credential source (must be in System mode), it works with blank username/password entries.

You do have to make sure your certs are trusted. Our ISE implementation uses a cert from a CA that was not in our root, so I had to add the cert to the system keychain and set trust on it or else the client auth hangs (you have to look in the system logs to see why).

There is often a lag time after binding the system to AD where it won't auth, because the computer record has to propagate (we have a huge AD with lots of DCs so that lag can be 30 minutes).

mscioscia
New Contributor

I was going to try to edit the profile manually the add the <key>UserPassword</key><string>[PASSWORD VARIABLE]</string> but I can't seem to find a way of editing the profile text. Is there a utility that will open the profile so I can edit it? When I open it in a test editor there is a bunch of garbled text and it will not let me save.

Also I am not sure what you mean by "system mode" but I don't see a place to select the credential source

alexjdale
Valued Contributor III

As far as I know, you have to use Profile Manager (part of Server) to build profiles for some features (like Directory authentication for a System profile) and it's about the worst app that Apple continues to maintain. I almost always open up the profile afterwards to edit it (if you are seeing garbles, you are probably working on an encrypted profile).

Here is my full profile: Active Directory environment, Cisco ISE for wired 802.1x, System mode authentication using directory creds (with payload UUIDs redacted):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>AuthenticationMethod</key>
            <string>directory</string>
            <key>AutoJoin</key>
            <true/>
            <key>EAPClientConfiguration</key>
            <dict>
                <key>AcceptEAPTypes</key>
                <array>
                    <integer>25</integer>
                </array>
                <key>OneTimeUserPassword</key>
                <false/>
                <key>SystemModeCredentialsSource</key>
                <string>ActiveDirectory</string>
                <key>TTLSInnerAuthentication</key>
                <string>MSCHAPv2</string>
                <key>UserName</key>
                <string></string>
                <key>UserPassword</key>
                <string></string>
            </dict>
            <key>EncryptionType</key>
            <string>Any</string>
            <key>HIDDEN_NETWORK</key>
            <false/>
            <key>Interface</key>
            <string>FirstActiveEthernet</string>
            <key>PayloadDisplayName</key>
            <string>Wired 802.1X</string>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>com.companyname.wired8021xconf</string>
            <key>PayloadType</key>
            <string>com.apple.firstactiveethernet.managed</string>
            <key>PayloadUUID</key>
            <string>REDACTED</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>ProxyType</key>
            <string>None</string>
            <key>SetupModes</key>
            <array>
                <string>System</string>
            </array>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Wired 802.1x Profile for ISE wired networks</string>
    <key>PayloadDisplayName</key>
    <string>Wired 802.1x</string>
    <key>PayloadIdentifier</key>
    <string>com.companyname.wired8021x</string>
    <key>PayloadOrganization</key>
    <string>companyname</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>REDACTED</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

mscioscia
New Contributor

Is there any way to use Profile Manager without OSX server? I don't have an OSX server and it appears that the profile I built with jss cannot be edited as it is encrypted and I see no way to generate a profile in jss that is not encrypted.

alexjdale
Valued Contributor III

Nope, Profile Manager is technically a web app that is served up by Server, as far as I can tell. It's unintuitive and frustrating so I hate recommending it, but there not many ways to create configuration profiles.

Server is an app you buy on the App Store which installs on a standard Yosemite OS. You can run it on a VM in a pinch.

bentoms
Release Candidate Programs Tester

There are so many ways to set this up & many more caveats.

Our macs connect to our wireless using a certificate.

The certificate is received via a profile with the "AD Certificate" payload.

Server name is specified & the template for us is "Machine" (that's the name of the template even though Win Server shows it as "Computer").

For username we use $COMPUTERNAME (variables used for profiles in the JSS differs from profile manager, but is in the Admin guide), & we tick "Use Directory Authentication"

Might be some stuff there to try, then if the Mac gets the cert.. Next step is to check the wireless authentication.

dstranathan
Valued Contributor II

@mscioscia, Keep us posted on your progress, as Im beginning the same project soon with Yosemite-based Mac laptops, AD domain, and Cisco ISE RADIUS server.

My goal is identical to yours: Get Mac laptops to machine authenticate on Wi-Fi enough to "boot-strap" them onto the WLAN so users can then use their AD user credentials to log into the Mac, update/sync their AD passwords, etc.

We are currently using Ethernet adapters for these types of tasks, but its getting too hard to manage, as our Mac population is growing fast, and looking at Apple's laptop roadmap (i.e.; the new 2015 Mac Book "uni-port"), Ethernet might not be a practical option.

I tried this project early in the OS X 10.7 Lion days and found it to be rather flakey and frustrating. I'm hoping it is easier and more consistent in OS X 10.10 Yosemite.

Editorial comment: I share everyone's feelings towards Apple's Profile Manager Server. One reason I have dragged my feet on deprecating my OD/MCX "Golden Triangle" environment in favor of 100% MDM-style profile management.

georgecm12
Contributor III

This is an old post, and our issue isn't precisely the same as the OP. We're using ClearPass Policy Manager as a NAC for our Aruba wireless access points. We're using it to implement 802.1x authentication for our wireless clients. We're using username/password authentication (that's one area we differ from the OP; we're not doing certificate based authentication) and our standard is PEAP and MSCHAPv2.

One problem we're encountering is similar to the OP; when at the login screen, they're authenticating to ClearPass as DOMAINCOMPUTER$ (e.g. "CARROLL_NTACADLC-47$" for the computer named ACADLC-47). The problem is, as the OP indicated, the ClearPass controller is expecting computer authentication to come in the form host/%ComputerName%.ourdomain.com . How would one configure the policy to be able to connect in this form?

The second mystery is that users in a specific role (in this case, students) aren't able to log in. As best as we can tell, everything is working fine, and users in other roles on the system (faculty, staff, IT, etc.) can log on fine. When a student logs in, they just get a pinwheel for about 90 seconds, then the login window times out and shakes. When a staff member logs in, they get a pinwheel for about 10 seconds, then they're logged in. As far as the controller indicates, both the student and the staff member are authenticated just fine, so we can't tell why the students can't log in.

Anyone with ideas?

Kaltsas
Contributor III

Hey @georgecm12 Did you ever find a solution to this. I am trying to get PEAP machine authentication and it appears our RADIUS configuration is looking for hostDNS not domainhost

I can craft this into the username using the profile variables but then it does not use the directory credentials for authentication.

I have reached out to apple to see if there is a way to get the directory authentication to do hostDNS.

nick1313
New Contributor II

We are having this same sort of issue. When we look at our wireless logs (Ruckus) it shows the "user" that is trying to authenticate as the computer name, when it should show the user name, thus authentication fails.

The exact same configuration profile works on 10.10.5, just not 10.11 or 10.11.1.

I have a case open with Jamf and might end up opening one with Apple as well.

Nick Haskell

mahdiz
New Contributor

@alexjdale

I tried to use your .xml code for my current setup. However, I didn't know what to do with the payload UUIDs you redacted...

I put any UUID number from somewhere else.... but it looks like it is not working.

How I can manage to get the UUID number?

Thank you very much