Jamf Nation Community

DaveRukamp · ‎06-05-2024

Anyone have ideas on how to get the client to consistently present the computer name during the authentication attempt? My understanding is that the 'Use Directory Authentication' option in the profile configuration should be forcing this. I thought I came across an article from back in the 10.10 days where this was discovered as a bug and fixed in 10.11, did it come back?

Problem Statement:

Corporate managed macOS devices are intermittently failing wired and wireless authentication against the Aruba ClearPass policy. The issue appears to be that sometimes the Mac is sending the logged in user’s username for authentication rather than the Mac Computername which is what is expected.

Additional Problem Statement context:

When a Mac authenticates the authentication attempt is passed to the ClearPass policy manager. The ClearPass policy is expecting the Mac to pass along its Computername in the 'Username' field. It then validates that this Computername is in the Macs OU in Active Directory to determine if the Mac should be on the Internal or External networks.

The problem is that a small percentage of the time the Mac is passing along the username of the user that is logged in rather than the computername and so can't be validated as a corporate Mac and therefore gets put on the External network.

We don't understand the cause of this behavior. The issue could be networking related or it could be strictly client side.

Timing:

The current configuration had been working for over a year and only started having issues in the last month.

Scope:

Only some of our Macs are experiencing this. Even these are only experiencing it sometimes

Affecting a small audience right now, <10 instances that I'm aware of

Affecting Wired and Wireless at the ITC, Wired in building 9 and Wireless on Main Campus

Workarounds:

usually, disconnecting and reconnecting 1 or more times can get a proper connection

rebooting and connecting to wifi can get a proper connection

Connecting via VPN

Configuration:

Operating system versions: MacOS 13 & 14

We are using Jamf to deploy network configuration settings to all Macs, below is the profile configuration

Profile Level: Computer Level

DaveRukamp · ‎06-07-2024

Anyone have any ideas?

anotheruser1 · ‎09-09-2024

Hi Dave, did you ever figure anything out? We're having a similar issue, except our iMacs keeps sending the MAC address when trying to authenticate to our wired 802.1X network. Wireless seems fine so far. We're using Cisco ISE for authentication. I've got a ticket in with Apple and I'm waiting to hear back currently.

rayjd1650 · ‎10-09-2024

There was a lot of chatter in the 802.1X channel of Macadmins Slack about this. There is a way to put the system identity into the user scope so it would always pass the same profile. Here is the script that was used for wired auth

https://github.com/eth-its/autopkg-mac-recipes-yaml/blob/main/Scripts_Tools/8021X-lan-identity.sh

and WiFI

https://github.com/eth-its/autopkg-mac-recipes-yaml/blob/main/Scripts_Tools/8021X-wifi-identity.sh

agungsujiwo · 2 weeks ago

@DaveRukamp

I’m facing a similar issue with our Aruba Access Points. When updating the certificate, there’s a slight difficulty connecting to the Organizational Unit (OU), even though the correct username and password are used. After diagnosing the issue, I found that deleting the CPPM certificate in the keychain Access (to obtain a new certificate) resolves it.

For others, I need to push from airdrop or Flashdisk a .mobileconfig file containing the username, password, and the latest certificate I created in Apple Configurator. After a successful installation, the device can connect to the internet, and I delete the configuration file. When I try to log in again, the connection returns to normal.