Network Payload on Configuration Profile settings for 802.1x Authentication Issue

zskidmor
Contributor

I know there have been a lot of discussion threads around this with various issues but I wanted to start a clean thread with the specific issue that we have been experiencing. To start off I want to describe our setup of our machines and network:
1. OS X computers are joined to a directory server (Active Directory in our case)
2. OS X Computers version range from 10.6 to 10.10 (we will ignore older versions since 10.6 doesn't even support config profiles)
3. 802.1x authentication with our network using PEAP (Active Directory is the directory server used)

What I am trying to achieve is the following:
1. Since the OS X computers are joined to a directory server, I want the OS X computers to authenticate as computer at the login window
2. User logs in to OS X with AD credentials and have them automatically connect to the network as themselves

I have configured a Configuration Profile with the following settings to accomodate this:
Distribution Method: Install Automatically
Level: Computer Level
Network Interface: Ethernet
set as a Login Window configuration is Checked
Protocols; PEAP is checked
Use Directory Authentication is Checked

I have no trust settings or certificates configured, because I am importing our Root CA certificate of our certificate authority into the system keychain with Explicit trust settings for EAP connections. This way we don't get prompts to install client certificates from our Radius servers (very handy when the certificates have to be renewed)

After applying the configuration profile, it appears that while AD users can log in to OS X (I see the Login window banner for the configuration profile installed above the username), after the computer logs in it doesn't authenticate as the user automatically, one has to go into the network preferences pane and click "Connect" which prompts for a username and password, if entered, gets saved in the login keychain and the client connects normally.

How do you get the config profile to pass the credentials through so it is a seamless experience?

4 REPLIES 4

millersc
Valued Contributor

Is this for the Users home directory? Or just a share? I'm not the AD guy, but currently we are setup similar to you. I can Connect to... my home directory without re-authenticating. If I try to hit anything other than that, I do need to auth the share.

davidacland
Honored Contributor II

I'm normally only doing this for wifi connections I'm afraid. In each case I always add the AD certificate part to the config profile so that the machine generates its own certificate from the template on the CA. I usually have to adjust the EAP type based on the site and the capabilities, TLS being the simplest option.

Its a bit of a different setup for Ethernet but I haven't had to implement that yet.

@millersc home directories are a different topic. It sounds like you've got some kerberos issues with either the servers or clients. Possibly the other servers you are connecting to aren't part of the same kerberos realm the clients are getting tickets for.

zskidmor
Contributor

@millersc][/url][/url this is doesn't have to do with the Users home directory, this has to do with authenticating to the network as the user after they have logged in to OS X

@davidacland We don't use AD certificates and we don't use EAP-TLS, we use PEAP

CGundersen
Contributor III

We have a similar workflow/config (9.62PreProd/9.63Prod) that does work with 10.9.5 . 10.10.x is not functional in our env., but Apple has owned this and will work with us toward resolution (not in 10.10.2 release).

Relevant bits:
Distribution Method - Install Automatically
Level - Computer Level
Network Interface - WiFi
Service Set Identifier (SSID) - YourSSIDHere
Auto Join - selected
Security Type - WPA/WPA 2 Enterprise
Use as a Login Window configuration - selected
Protocols - PEAP
Trust/Trusted Certificates - We use GoDaddy and I've put full chain here (we use a wildcard cert for RADIUS)
Trusted Server Certificate Names/Certificate Common Name - server/certificate name(s) pulled down from RADIUS (*.ourdomain.com)

Not sure if helpful, but might be a few things from this article you can use?:
http://support.apple.com/en-us/HT202951