Wireless laptops, 802.1X and logon policies

fsjjeff
Contributor II

Hey all,

I'm trying to implement a policy that will install Skype based on AD group membership. I see when I choose an AD group as the scope of a policy that I only make a Self Service, Login or Logout policy... Which works fine for computers that are connected via Ethernet during login/logout.

However, we have about 3500 laptops, connecting to an 802.1X wireless network, and they don't connect to the wireless until the user logs into their account (mobile accounts). In my testing, this messes up with both the Login policy (doesn't have a network soon enough to start downloading install dmg, or execute policy) and Logout (disconnects before policy can happen).

Every30 works if I assign a policy via computer, but in our environment AD groups makes WAY more sense, and involves a lot less grunt work (ie: compiling a list of computers for each policy).

We could require the users to plug in to Ethernet before logging in to install certain apps, but can't say we're really thrilled about this due to logistics (these are mostly student laptops and there aren't really a lot of ethernet drops in classrooms).

Any ideas on other ways to do this?

Note: Running Casper 7.2.1 - haven't upgraded yet.

Jeff Dyck | Analyste de reseaux - Mac OS X
Conseil Scolaire Francophone de la Colombie-Britannique (SD 93)
3550 Wellington Street, Annexe B - Port Coquitlam, BC - V3B 3Y5
Tel: 778-284-0902 - Cell: 778-990-7960 - http://support.csf.bc.ca

4 REPLIES 4

Not applicable

Wouldn't creating a system profile for 802.1x be the best solution? Then
your Macs have a wireless connection once they hit the login window. It's
pretty easy to do with 10.6, and you can use networksetup command line to
export/import the config.

fsjjeff
Contributor II

(Just realized I replied just to Chad, resending to list)...

I may have to explore that - to be honest, with both 10.4 and 10.5 (we're now on 10.6), my attempts to use a profile at the loginwindow resulted in big problems with AD - in particular, we would end up where the user could no longer log. I gave up on using that and instead completely disable the wireless when the user logs out.

I haven't really tried it with 10.6 though. And think I was mostly focused on the loginwindow profile, rather than the system level. I will have to explore that more.

Jeff

Bukira
Contributor

Hi,

Well i use 10.6 and login profile and it works ace in 10.6 no problems what soever and i can export profiles which i can then apply per machine during imaging, then login policys work,

Happy to help

Criss

Criss Myers
Senior Customer Support Analyst (Mac Services)
iPhone / iPad Developer
Apple Certified Technical Coordinator v10.5
LIS Development Team
Adelphi Building AB28
University of Central Lancashire
Preston PR1 2HE
Ex 5054
01772 895054

Not applicable

Jeff,

This really isn't a Casper issue exactly, however we are in the process of
setting up a similar setup here with 802.1x..

If you frequently will run policies at startup/logout you may want to look
at using a 802.1x System Profile instead of a User Profile. User profiles
will load and connect to the network once a user logs in, while a System
Profile will authenticate at startup.. We've been running this method and
it's been working fine with policies.

Hope that helps!

-- Jason Weber
Technology Support Cluster Specialist
Independent School District 196
jason.weber at district196.org