- Jamf Nation Community
- Products
- Jamf Pro
- Re: Wired 802.1x with AD computer account fails to...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Wired 802.1x with AD computer account fails to send request.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-31-2015 04:31 PM
I am attempting to use a Configuration Profile to setup wired 802.1x for an OSX 10.10.2 system. I would like to use the computer account for authentication and have setup the configuration profile accordingly. When I attempt to connect it immediately prompts for a user name and password. I never see a request on my NPS logs on the server for the computer account. If I give it a valid username and password it works without issue.
Here is the very strange part. On the same system I have a wireless 802.1x configuration profile installed with the same setup. It works without any problem. NPS log correctly shows the valid authentication.
So as near as I can tell when I use the configuration profile to push the auto connect via computer account it never actually sends the request for authentication.
I am fairly new to OS X administration so I am unsure of what system logs I need to look at to see if the request is happening on the system or not. I though I had figured out the correct log but it is not logging any activity. Any help would be appreciated. I really do not want to go back to using user authentication via a service account.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-01-2015 06:14 AM
@jschmidtlein This is a bug. I have been trying to setup the exact same thing in 10.9.5 and 10.10.2. I can only get wireless 802.1x to work with computer based certs. JAMF has it listed as a defect under D-008406.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-01-2015 09:42 AM
@pblake That makes sense. For the life of me I cannot figure out what the defect number you gave me corresponds to. Is there somewhere I can go and read the defect your are referencing?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-01-2015 09:48 AM
@jschmidtlein I think it is an internal JAMF defect number. You can reach out to your JAMF TAM and he/she should be able to help you. Hopefully if more people have this issue they will be able to raise the priority.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-01-2015 10:21 AM
@pblake That is very frustrating. To know there is an issue but not be able to see the specifics of it. How did you work around the issue? Even when I create a service account it is still prompting the user when it tries to connect.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-01-2015 11:04 AM
Sadly, we only rolled out wireless 802.1x for now.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-01-2015 11:08 AM
@jschmidtlein Everyone has said this to JAMF. When you speak to your TAM, bring it up. The more we ask, the more likely they are to open it to those of us that need to see it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-03-2015 09:13 AM
@pblake So I figured out how to do this and get it working in 10.10.2 and I figured I would circle back around and explain it if you were still interested in doing it.
I created a .mobileconfig file using profile manager with the exact same settings I was trying to input via JSS. Once these settings corrected I tested them by placing them on the local system and running the following command:
/usr/bin/profiles -I -F "/Library/Org_Name_here/Settings_for_Wired-Priv.mobileconfig"
I then checked profiles in system preferences to make sure the profile was correctly added. If you run the command without sudo it will make is a user profile. If you run the command with elevation it will import as a device profile. I tested the profile with a wired 802.1x port and it worked. Once I had a working profile I moved to packaging it for JSS.
I created a script with the following in it:
!/bin/bash
/usr/bin/profiles -I -F "/Library/Org_Name_here/Settings_for_Wired-Priv.mobileconfig"
I created a dmg that created the above file location and moved the mobile config into it. From there I created a policy in JSS that installed the DMG and then ran the script to enroll the mobile config file. Make sure you select after when choosing when the script will run.
The only downside is the profile is not verified so a user with admin rights could theoretically remove the profile. Other then that it looks like it is going to work great.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-03-2015 11:23 AM
We have tons of users that are admins here, so we would need it to be verified and unremovable!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-22-2015 02:30 AM
bump
I want to achieve the same thing but I'm obviously facing the same problem. The solution that @jschmidtlein posted is nice but not for my environment since every user is admin on his or her device and is able to delete the profile.
Does anyone know what the current stat of the bug is? To bad that JAMF doesn't provide a bug tracker here.
