Jamf Nation Community

tcandela · ‎08-02-2015

I prefer my site enrolled laptops to always be ethernet network connected, using ethernet adapter etc...

of course many laptop users don't listen, I have laptops in my Site that no matter when the users authenticate to the correct enterprise wi-fi network, the next time they restart the laptop wi-fi gets set back to the Guest wi-fi network.

The laptops are not Active Directory joined.

I'm pretty sure many of the users laptop login is the same as there netid/password. If not, would this be a problem (i'm sure it would)? I'm pretty sure this is depends on AD, radius server type authentication process ?

Will creating a Wi-Fi network configuration profile eliminate this wrong wi-fi network connection from happening. I want it so that when the user logs in, they also get connected to the correct wi-fi network (whether connected to ethernet or not).

In the configuration profile settings, do i choose the option?
----- use as a Login Window configuration User logs in to authenticate the Mac to the network

Look · ‎08-02-2015

You will probably need these three options and want Enterprise security and may need to make sure the right protocols are selected for the network ie: PEAP
Auto Join
Use as a Login Window configuration
Use Directory Authentication

It is also worth noting at this point that there is a fairly common bug in 10.10 and automatic WiFi for AD where the autojoin on wake from sleep doesn't work properly. It appears to be resolved in 10.11 and wasn't present in 10.9 but there is currently no proper fix for 10.10, you can do things like drop to the Login Window from fast user switching to reconnect or go into the Network Preferences and reconnect there (it will prompt for password again).

tcandela · ‎08-03-2015

how does 'Use Directory Authentication' (Authenticate with the target computer's directory credentials) process work ?
these laptops are not part of Active Directory.

if i have 'Use Directory Authentication' unchecked, i am provided with 2 additional areas to fill out information.

-- Username 'Username for connection to the network'
-- Password 'Password for the provided username'

what 'username' 'password' should go here ?

Look · ‎08-03-2015

Sorry I missed the not bound to AD bit...
Not certain but I think if you want to use Login Window authentication the devices will probably need to be bound to a directory service of some sort, otherwise you have no garauntee that the username & password being entered is valid for the Wi-Fi.
Whether the username:password option is available or not depends on the protocol you have selected, we are using PEAP for example and this doesn't request it.

tcandela · ‎08-03-2015

we are using PEAP also. If 'use directory authentication' is checked no username/password is requested.

If 'use directory authentication' is NOT checked username/password is requested.

is it authenticating to the Wi-Fi based on the computer being AD bound? is so, how does that work? what credentials does it use.

or does it authenticate to the wi-fi based on the users login/password ?

davidacland · ‎08-03-2015

I've only ever tried PEAP auth and login window auth with AD joined Macs but I'm pretty sure it's a pre-requisite. The user enters their username and password at the login window, these credentials are used to connect to the wireless (or wired) network, and then used to authenticate the user at the login window.

If the Mac isn't joined to the directory the login window will just shake.

tcandela · ‎08-05-2015

thanks @davidacland

I'm trying to understand the process that wi-fi config profile takes, before i even test it.

is this considered 802.1x ?

davidacland · ‎08-05-2015

Correct, this would be 802.1X

Jamf Nation Community

Wi-Fi configuration profile -- enterprise.