User Authentication Through Wireless

ghale
New Contributor

As a new institution to the JAMF Casper Suite I would like to enable machine log on through wireless to Macs that are bound to the domain. The goal is to try to mirror the wireless log on that is achieved on the Windows side by specifying through Group Policy the secure hidden wireless network (WPA2 Enterprise PEAP (MSCHAPv2)).
So far I have configured a payload that specifies the Network settings that includes:
• SSID
• Hidden Network
• Automatically Connect
• No Proxy
• Security Type
• Use as a Login Window Configuration
• Protocols o Accepted EAP Type is set to PEAP o Use Directory Authentication
• Under Trust Allow Trust Exceptions is checked but nothing else is specified here

Just this configuration alone displays an option on the log on screen to select the WiFi SSID specified or “None”. I can see that the wireless icon lights up for a moment then the log on fails. I have attempted to configure the AD Certificate without any luck the configuration profile fails during installation. What other items might be necessary to make this type of log on through wireless possible?

1 ACCEPTED SOLUTION

RobertHammen
Valued Contributor II

Agree with @davidacland. Get your AD machine cert part working, and make sure the AD CA root and sub certs are either part of the config or are already in the System keychain on the Mac.

Below are some steps which may help you diagnose why your AD CA profile is failing.

1) Run the following commands as a local admin to enable MCX debug logging:

sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2

sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1

2) Reboot the client and reproduce the issue

The logs are in /Library/Logs/ManagedClient/ManagedClient.log.

3) Disable debug logging by deleting /Library/Preferences/com.apple.MCXDebug.plist

View solution in original post

4 REPLIES 4

Look
Valued Contributor III

Our implementation has the certificates of the authentication servers in the profile and they needed to be trusted within the profile for it to work.

davidacland
Honored Contributor II

Hi, it's sounds like the AD machine certificate part is broken. When I've implemented this over used the same PEAP settings you're describing but I'm also using an AD machine cert.

I would recommend making a payload that just does the AD cert first. Once you have that working you can build on it.

One extra caveat, most people I speakto doing this are seeing very slow login times, particularly with 10.10 so you might get hit by that even if you get it all working.

RobertHammen
Valued Contributor II

Agree with @davidacland. Get your AD machine cert part working, and make sure the AD CA root and sub certs are either part of the config or are already in the System keychain on the Mac.

Below are some steps which may help you diagnose why your AD CA profile is failing.

1) Run the following commands as a local admin to enable MCX debug logging:

sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2

sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1

2) Reboot the client and reproduce the issue

The logs are in /Library/Logs/ManagedClient/ManagedClient.log.

3) Disable debug logging by deleting /Library/Preferences/com.apple.MCXDebug.plist

ghale
New Contributor

Thanks everyone! We use a cert that I have been told is "already included in OS X" by our Networking Services. It took a few tries but ultimately the configuration that worked was a profile that only had the "Network" section configured and the "Trust" setting had to match the name of our radius server which is also the entry in the Keychain where the radius certificate information shows up. In the debug settings mentioned here I noticed that it claimed that the SSID was not found which led me to believe it was simply those settings that were wrong. Thanks!