Hi everyone and happy new year.
I need to discuss how to make use of 802.1x Configuration Profiles. Something is not clicking with me.
We have Cisco ISE as a RADIUS server and the network devices (Cisco Wireless LAN Controllers) make calls to it for PEAP (MSCHAP-V2) authentications. The user identities in the RADIUS system are derived from an Active Directory using ISEs' AD connector.
My usage scenario that I am designing right now is 1:1 MacBooks. A decision has not yet been made about these devices being joined to the Active Directory. Using Casper Imaging I can easily have a named individualised local user account built that matches the machine 'owner'. We have already done this years using alternate deployment techniques and this would be the main reason for even bothering with a 1:1 machine joined to a directory.
My thought process at this point is around how to stage the wireless connection onto the devices. If I use the Casper tools to join AD as part of the imaging process I have been able to successfully make use of an 802.1x configuration profile containing EAP server and root CA certificates that is pushed to the device through via MDM at the end of the imaging process. This configuration profile makes an AD login possible at the OS X login window (which is a big win in itself and seems to work smoothly in testing). The login window changes to have the drop-down WiFi profile list available and a yellow dot appears in the username field. I presume this is how things are supposed to be.
HOWEVER, what happens if OS X is started when the machine is away from the WiFi network? If the user has already established their mobile account the system logs in fine. The OS X machine is then brought onto the premises in a sleep state. The machine wakes up and despite the wifi profile being on the machine, credentials are not passed for authentication. The user must log out and back in again to get a wireless connection. Is this behaviour for real?
That is the first part of my question. This second part of my question is the result of not being able to solve that undesirable behaviour.
If if use our old method of having a local account matching the persons' name built during the imaging process, then a wireless connection at the login window is not required. In this scenario I can either tell the user to join the wireless network manually or attempt to have it taken care of for them with the configuration profile that is delivered at the end of imaging via MDM.
If I tell the user to join the wireless network manually, the familiar certificate trust message will appear when the EAP tunnel is established. This occurs even if the certificate is signed by a public CA that trust stores normally trust (mine is signed by DigiCert). The goal is to suppress the certificate trust message. I understand the only way to do this is by using a configuration profile that contains the network settings as well as the certificate that is being presented for secured EAP communications and possibly the certificate of the signing CA and any intermediates (this is what I was doing sucessfully in my first question).
HOWEVER, if I attempt to do that, I need to populate the username/password fields in the configuration profile. How can I possibly know the username and password and have individualised configuration profiles for hundreds of users? These aren't generic logins.
I have tried leaving username/password fields blank (even though the JSS' configuration profile builder has [Required]), and this results in a profile on the OS X system that seems to be stuck in an authentication loop. It doesn't pass any credentials and it doesn't prompt the user to enter anything.
I want the 802.1x supplicant to prompt the user for their credentials and take advantage of the profile being present that contains the certificates so that there is no ugly prompt for the user to trust the certificate. These are assets owned by our organisation and can be staged however I need; not BYO where a trust message appearing would be acceptable.
Am I even on the right track here with understanding all of this? Is it solvable?
Thanks!
John