Wired 802.1x User Authentication

aburrow
Contributor

I'm trying to setup a Config. Profile that will Authenticate a User via 802.1x before proceeding with AD authentication.

I've setup the Profile with "Use as Login Window configuration" added PEAP Protocol, Added the CISCO ISE Server's name Certificate Common Name.

When I login I can manually go to System Preferences Network/Ethernet and press "Connect" enter the user I've just logged in as and it connects fine. I don't know why it's not working from the Login window.

1 REPLY 1

qdelaunay
New Contributor II

Hi aburrow,

Here's what I can already tell you about the implementation I've done in my infrastructure, because it will be difficult for me to see your configuration on a case-by-case basics :

we have separated the certificate from the 802.1X LAN and 802.1X WiFi configurations, in different profile configurations, for long-term migration issues (renewal of trust authority for example), you can see my config :

CP-802.1X-LAN (without cert)

4eac4f44c6e54aa697fae7a2aa43a907

CP-802.1X-WiFi (without cert)

71aef1ebd49b40c0b0bb1a20471ce6c8

CP-CERTIFICATE

dc75619c69704e21ae8a93d892139e83

on my side we have a first machine authentication (with the certificate push before) performed to arrive in a temporary VLAN (192.168.1.1) before the user authentification, then we have the user authentication that allows us to access the appropriate VLAN (192.168.10.1)

for AD user auth to work properly with filevault and 802.1X, we had to do some customization :
- Disable FDE AutoLogin and change login display options (https://support.apple.com/en-om/HT207431)
- Bind the Mac (I think you might be able to do this part with a third party software)

Try to dig a deeper in that direction, if I could ever help you a little bit.

Regards,