Wired 8021x Machine Authentication

BOBW
Contributor II

HI All,

I know this has been mentioned several times but after trying all the suggestions it still isn't working

10.10.4 clients
Currently I can get machine based certs from AD fine using profile manager
When I add a network payload configured :
Network Interface : Ethernet
PROTOCOLS
EAP type: TTLS - PEAP, this is taken from when I manually connect as a user
Username and PW blank, although I have tried many things including: %AD_ComputerID%, host/ Machine MacComputer(AD Template) all in the UN field and leaving PW blank
Identity Certificate : AD Certificate pre configured and verified working
Inner Auth : MSCHAPv2
Outer Identity Blank
TRUST
Installed every possible certificate I can get my hands on including, Domain, Root, 3 radius servers
trusted Server Certificate names: I added each of the certificate names here separately, then added all of them together, left it blank.

Hopefully someone has some ideas on how I can get this working. I have confirmed with our network team that I should be able to authenticate using the AD Machine based certificate.

Thanks in Advance

EDIT: I cannot find where to turn on logging for this either to check what is happening......

EDIT2: So..... a little more trial and error, I have managed to get a little further when it is now prompting to use a profile, Is there any way to automate this so there is no user interaction?
When I select the 802.1x profile it then prompts : Select the certificate or enter username and password for this 802.1x network, I select certificate (any way to automate this as well?)
it then prompts for machine password???

1 ACCEPTED SOLUTION

cvangorp
New Contributor III

Unfortunately 802.1X doesn't work as expected in 10.10. Apple is aware of this flaw and it appears it will be fixed in 10.11. There are several threads on here regarding 802.1X issues wireless and wired, with 10.10. We have seen that users have to click on Connect in the network pref pane, it will not login using their bound AD login, sometimes it will if you are on network at login screen. If you disconnect and reconnect wired or wireless it will not auto login. The mac never attempts to send the information to the network.

View solution in original post

7 REPLIES 7

cvangorp
New Contributor III

Unfortunately 802.1X doesn't work as expected in 10.10. Apple is aware of this flaw and it appears it will be fixed in 10.11. There are several threads on here regarding 802.1X issues wireless and wired, with 10.10. We have seen that users have to click on Connect in the network pref pane, it will not login using their bound AD login, sometimes it will if you are on network at login screen. If you disconnect and reconnect wired or wireless it will not auto login. The mac never attempts to send the information to the network.

BOBW
Contributor II

@cvangorp yep you were right.....

First attempt on 10.11 works a treat......

Now to upgrade 1000 mac users to a beta version of the OS......

Joking ;)

Goober22
New Contributor III

I was able to get connected to a 802.1X network with a little help from the guys at JAMF and a little bit of what I already knew. It is a manual process for me as I cannot push it via JAMF at the moment, but I am able to get it working and connected. As long as you know what your cert server is you should be golden. There are some bugs, but I got this one working with a bit of elbow grease.

You could try connecting wirelessly. It is working a lot better for me than being wired.

BOBW
Contributor II

@Goober22 yeah we have the 8021x working on wireless ( this is only required for user authentication) but the idea would be to have the lab machines (on ethernet) auto connected with no user interaction.

BOBW
Contributor II

OK,
It seems I am a little closer:

not sure if this is going to help many people but after several days of trying different things I thought if it helps one person its worth it

In the Certificate server field of the AD certificate payload, this had to be http://server.domain.com/certsrv
Once this was done we had rules on our network to NAT http traffic internally, once this was taken off then we could get our certificates (we are using different VRF's so each machine was in quarantine IP range prior to authentication)
and lastly our AD server has to allow the authentication for the computer

so it seems, while I spent days looking at this it was all networking and AD server settings causing the problems....

Waiting for our sysadmin team to decide if they want to allow this last setting........

Will let you know how it all goes when I am done and each machine can authenticate correctly

djwojo
Contributor

I've had excellent luck making the mobile config profile with the OS X Server Profile Manager upon JAMF's recommendations. We use a config network payload with AD Authentication, Wired EAP-TTLS, and trusted Server Certificate names. I am not sure what the missing piece was, but creating the profile on the server, downloading, and uploading back to the JSS works for both wired and wireless.

Our symptoms were not being able to connect at all on wired TTLS - it was passing through a cert name to radius rather than the machine name. On Wireless we were getting constant disconnects between APs and also on sleep or log out.

Kaltsas
Contributor III

@djwojo Are you signing the mobileconfig before uploading it to the JSS?