Jamf Nation Community

The thing is, I need Machine auth to work on wireless so domain users can login to the machine regardless of wether they have logged in previously or not. It appears that jss is not working the way it is described as it is not sending the machine password the RADIUS server unless it is entered explicitly in the profile.

There is a way to tell the OS to use its own AD credentials to auth. Here is a snippet from our wired 802.1x profile (note the empty username/password):

<key>AuthenticationMethod</key>
            <string>directory</string>
            <key>AutoJoin</key>
            <true/>
            <key>EAPClientConfiguration</key>
            <dict>
                <key>AcceptEAPTypes</key>
                <array>
                    <integer>25</integer>
                </array>
                <key>OneTimeUserPassword</key>
                <false/>
                <key>SystemModeCredentialsSource</key>
                <string>ActiveDirectory</string>
                <key>TTLSInnerAuthentication</key>
                <string>MSCHAPv2</string>
                <key>UserName</key>
                <string></string>
                <key>UserPassword</key>
                <string></string>
            </dict>

What is your RADIUS server? I have 2 clients using Cisco's ISE. For them, at least with ISE 1.3, all we need to do is enter host/ in the username field.

I have run into issues with 802.1x profiles for Wired networks not working 100% out-of-the-box. The unfortunate issue is that JAMF does not have an AD/802.1x/ISE environment to test. Difficult for them to support all of the possibilities out there. You may have to end up hand-coding a profile (which you can still upload and deploy using the JSS). I haven't gone down this path yet, but may do so. Suspect there may be more than one up on Github...

https://developer.apple.com/library/mac/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html

We are using Aruba Clearpass as our RADIUS server. The issue seems to be that when I don't explicitly define the AD Password in the profile it just times out on the RADIUS server. This is what I get Error Code: 9002 Error Category: RADIUS protocol Error Message: Request timed out Alerts for this Request RADIUS Client did not complete EAP transaction

We use Cisco ISE for wired 802.1x and as long as the profile indicates to use "directory" authentication and "ActiveDirectory" as the credential source (must be in System mode), it works with blank username/password entries.

You do have to make sure your certs are trusted. Our ISE implementation uses a cert from a CA that was not in our root, so I had to add the cert to the system keychain and set trust on it or else the client auth hangs (you have to look in the system logs to see why).

There is often a lag time after binding the system to AD where it won't auth, because the computer record has to propagate (we have a huge AD with lots of DCs so that lag can be 30 minutes).

I was going to try to edit the profile manually the add the <key>UserPassword</key><string>[PASSWORD VARIABLE]</string> but I can't seem to find a way of editing the profile text. Is there a utility that will open the profile so I can edit it? When I open it in a test editor there is a bunch of garbled text and it will not let me save.

Also I am not sure what you mean by "system mode" but I don't see a place to select the credential source

As far as I know, you have to use Profile Manager (part of Server) to build profiles for some features (like Directory authentication for a System profile) and it's about the worst app that Apple continues to maintain. I almost always open up the profile afterwards to edit it (if you are seeing garbles, you are probably working on an encrypted profile).

Here is my full profile: Active Directory environment, Cisco ISE for wired 802.1x, System mode authentication using directory creds (with payload UUIDs redacted):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>AuthenticationMethod</key>
            <string>directory</string>
            <key>AutoJoin</key>
            <true/>
            <key>EAPClientConfiguration</key>
            <dict>
                <key>AcceptEAPTypes</key>
                <array>
                    <integer>25</integer>
                </array>
                <key>OneTimeUserPassword</key>
                <false/>
                <key>SystemModeCredentialsSource</key>
                <string>ActiveDirectory</string>
                <key>TTLSInnerAuthentication</key>
                <string>MSCHAPv2</string>
                <key>UserName</key>
                <string></string>
                <key>UserPassword</key>
                <string></string>
            </dict>
            <key>EncryptionType</key>
            <string>Any</string>
            <key>HIDDEN_NETWORK</key>
            <false/>
            <key>Interface</key>
            <string>FirstActiveEthernet</string>
            <key>PayloadDisplayName</key>
            <string>Wired 802.1X</string>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>com.companyname.wired8021xconf</string>
            <key>PayloadType</key>
            <string>com.apple.firstactiveethernet.managed</string>
            <key>PayloadUUID</key>
            <string>REDACTED</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>ProxyType</key>
            <string>None</string>
            <key>SetupModes</key>
            <array>
                <string>System</string>
            </array>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Wired 802.1x Profile for ISE wired networks</string>
    <key>PayloadDisplayName</key>
    <string>Wired 802.1x</string>
    <key>PayloadIdentifier</key>
    <string>com.companyname.wired8021x</string>
    <key>PayloadOrganization</key>
    <string>companyname</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>REDACTED</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

Is there any way to use Profile Manager without OSX server? I don't have an OSX server and it appears that the profile I built with jss cannot be edited as it is encrypted and I see no way to generate a profile in jss that is not encrypted.

Nope, Profile Manager is technically a web app that is served up by Server, as far as I can tell. It's unintuitive and frustrating so I hate recommending it, but there not many ways to create configuration profiles.

Server is an app you buy on the App Store which installs on a standard Yosemite OS. You can run it on a VM in a pinch.

There are so many ways to set this up & many more caveats.

Our macs connect to our wireless using a certificate.

The certificate is received via a profile with the "AD Certificate" payload.

Server name is specified & the template for us is "Machine" (that's the name of the template even though Win Server shows it as "Computer").

For username we use $COMPUTERNAME (variables used for profiles in the JSS differs from profile manager, but is in the Admin guide), & we tick "Use Directory Authentication"

Might be some stuff there to try, then if the Mac gets the cert.. Next step is to check the wireless authentication.

@mscioscia, Keep us posted on your progress, as Im beginning the same project soon with Yosemite-based Mac laptops, AD domain, and Cisco ISE RADIUS server.

My goal is identical to yours: Get Mac laptops to machine authenticate on Wi-Fi enough to "boot-strap" them onto the WLAN so users can then use their AD user credentials to log into the Mac, update/sync their AD passwords, etc.

We are currently using Ethernet adapters for these types of tasks, but its getting too hard to manage, as our Mac population is growing fast, and looking at Apple's laptop roadmap (i.e.; the new 2015 Mac Book "uni-port"), Ethernet might not be a practical option.

I tried this project early in the OS X 10.7 Lion days and found it to be rather flakey and frustrating. I'm hoping it is easier and more consistent in OS X 10.10 Yosemite.

Editorial comment: I share everyone's feelings towards Apple's Profile Manager Server. One reason I have dragged my feet on deprecating my OD/MCX "Golden Triangle" environment in favor of 100% MDM-style profile management.

This is an old post, and our issue isn't precisely the same as the OP. We're using ClearPass Policy Manager as a NAC for our Aruba wireless access points. We're using it to implement 802.1x authentication for our wireless clients. We're using username/password authentication (that's one area we differ from the OP; we're not doing certificate based authentication) and our standard is PEAP and MSCHAPv2.

One problem we're encountering is similar to the OP; when at the login screen, they're authenticating to ClearPass as DOMAINCOMPUTER$ (e.g. "CARROLL_NTACADLC-47$" for the computer named ACADLC-47). The problem is, as the OP indicated, the ClearPass controller is expecting computer authentication to come in the form host/%ComputerName%.ourdomain.com . How would one configure the policy to be able to connect in this form?

The second mystery is that users in a specific role (in this case, students) aren't able to log in. As best as we can tell, everything is working fine, and users in other roles on the system (faculty, staff, IT, etc.) can log on fine. When a student logs in, they just get a pinwheel for about 90 seconds, then the login window times out and shakes. When a staff member logs in, they get a pinwheel for about 10 seconds, then they're logged in. As far as the controller indicates, both the student and the staff member are authenticated just fine, so we can't tell why the students can't log in.

Anyone with ideas?

Hey @georgecm12 Did you ever find a solution to this. I am trying to get PEAP machine authentication and it appears our RADIUS configuration is looking for hostDNS not domainhost

I can craft this into the username using the profile variables but then it does not use the directory credentials for authentication.

I have reached out to apple to see if there is a way to get the directory authentication to do hostDNS.

We are having this same sort of issue. When we look at our wireless logs (Ruckus) it shows the "user" that is trying to authenticate as the computer name, when it should show the user name, thus authentication fails.

The exact same configuration profile works on 10.10.5, just not 10.11 or 10.11.1.

I have a case open with Jamf and might end up opening one with Apple as well.

@alexjdale

I tried to use your .xml code for my current setup. However, I didn't know what to do with the payload UUIDs you redacted...

I put any UUID number from somewhere else.... but it looks like it is not working.

How I can manage to get the UUID number?

Thank you very much