Wired 802.1x with AD computer account fails to send request.

jschmidtlein
New Contributor

I am attempting to use a Configuration Profile to setup wired 802.1x for an OSX 10.10.2 system. I would like to use the computer account for authentication and have setup the configuration profile accordingly. When I attempt to connect it immediately prompts for a user name and password. I never see a request on my NPS logs on the server for the computer account. If I give it a valid username and password it works without issue.

Here is the very strange part. On the same system I have a wireless 802.1x configuration profile installed with the same setup. It works without any problem. NPS log correctly shows the valid authentication.

So as near as I can tell when I use the configuration profile to push the auto connect via computer account it never actually sends the request for authentication.

I am fairly new to OS X administration so I am unsure of what system logs I need to look at to see if the request is happening on the system or not. I though I had figured out the correct log but it is not logging any activity. Any help would be appreciated. I really do not want to go back to using user authentication via a service account.

9 REPLIES 9

pblake
Contributor III

@jschmidtlein This is a bug. I have been trying to setup the exact same thing in 10.9.5 and 10.10.2. I can only get wireless 802.1x to work with computer based certs. JAMF has it listed as a defect under D-008406.

jschmidtlein
New Contributor

@pblake That makes sense. For the life of me I cannot figure out what the defect number you gave me corresponds to. Is there somewhere I can go and read the defect your are referencing?

pblake
Contributor III

@jschmidtlein I think it is an internal JAMF defect number. You can reach out to your JAMF TAM and he/she should be able to help you. Hopefully if more people have this issue they will be able to raise the priority.

jschmidtlein
New Contributor

@pblake That is very frustrating. To know there is an issue but not be able to see the specifics of it. How did you work around the issue? Even when I create a service account it is still prompting the user when it tries to connect.

pblake
Contributor III

Sadly, we only rolled out wireless 802.1x for now.

millersc
Valued Contributor

@jschmidtlein Everyone has said this to JAMF. When you speak to your TAM, bring it up. The more we ask, the more likely they are to open it to those of us that need to see it.

jschmidtlein
New Contributor

@pblake So I figured out how to do this and get it working in 10.10.2 and I figured I would circle back around and explain it if you were still interested in doing it.

I created a .mobileconfig file using profile manager with the exact same settings I was trying to input via JSS. Once these settings corrected I tested them by placing them on the local system and running the following command:

/usr/bin/profiles -I -F "/Library/Org_Name_here/Settings_for_Wired-Priv.mobileconfig"

I then checked profiles in system preferences to make sure the profile was correctly added. If you run the command without sudo it will make is a user profile. If you run the command with elevation it will import as a device profile. I tested the profile with a wired 802.1x port and it worked. Once I had a working profile I moved to packaging it for JSS.

I created a script with the following in it:

!/bin/bash

/usr/bin/profiles -I -F "/Library/Org_Name_here/Settings_for_Wired-Priv.mobileconfig"

I created a dmg that created the above file location and moved the mobile config into it. From there I created a policy in JSS that installed the DMG and then ran the script to enroll the mobile config file. Make sure you select after when choosing when the script will run.

The only downside is the profile is not verified so a user with admin rights could theoretically remove the profile. Other then that it looks like it is going to work great.

pblake
Contributor III

We have tons of users that are admins here, so we would need it to be verified and unremovable!

skeb1ns
Contributor

bump

I want to achieve the same thing but I'm obviously facing the same problem. The solution that @jschmidtlein posted is nice but not for my environment since every user is admin on his or her device and is able to delete the profile.

Does anyone know what the current stat of the bug is? To bad that JAMF doesn't provide a bug tracker here.