Security

I am not 100% certain how to even search for this information, and my local var doesn't have a great answer for me.

 

How can I get a domain joined Mac to authenticate prior to login? Our problem happens when a user has a password expire, they can no longer connect to the wireless.

 

On our windows side, we use a policy that allows the computer to authenticate using the computer record, which allows it to be connected to allow the user to logon/change expired password.

Really, I just want to know what my options here are. How do we get a pre-login type account setup? I understand there used to be a way with configurator, but we can't seem to replicate. We run many different versions of OSX in our enviornment. Approximately 5000 Macs, all joined to our domain.

Ideally we would like a 1-size fits all method, but we are not against doing it a more challenging way for the sake of reliable connectivity. Originally our var suggested we might be able to generate a cert and use that for connecting the Macs, but we want to be able to tie the authentication, once a user is logged in, to the user. (Computers exchange hands faster than we can keep up, we are a school district and assets are transferred randomly.) If this is not possible, then we need a method to at least identify differing computers.


We run 6.5.0.3 on a Master/Local setup.
We have Clearpass 6.6.2
Running AP 315/314

You'd want to use a log in window profile.

 

Does that work prior to the user logging in? Is it passing their user credentials or the computer?  both?

Yes, the user’s credentials will be passed to the network first, then to the authenticating domain controller.

Can is pass computer account? I am worried about relying on user crednetials because when a password expires, they are no longer able to connect to wifi, so they are not able to change their password. (without hardwire)

Yes, but you’d lose the user identity.

You could try using both system and user level configuration profiles, but it’s not something I’ve had a chance to test.

I'll give it a shot. I think between you (cappalli) and cjoseph I got some information to go on. I think it might be all that is needed to make this work.

Hi,

 

Have you had any luck with this as yet. I'm very keen to bring our Macs inline with our windows PC's in terms of pre-logon wireless connectivity and authentication via machine as opposed to account name.

 

Rich

You can't do machine + user, but machine auth only is possible by sending a configuration profile down from your EMM solution.

Hi,

 

I have to login AD user on 802.1x Wireless Network.

Its showing Network Service not available.

 

Please help me to get solution.

 

Please provide detail step to solve the issue

 

 

 

 

This thread is two years old and things have changed considerably.  Please open a new thread with your detailed question.

---

@irkednet wrote:

I am not 100% certain how to even search for this information, and my local var doesn't have a great answer for me.

 

How can I get a domain joined Mac to authenticate prior to login? Our problem happens when a user has a password expire, they can no longer connect to the wireless.

 

On our windows side, we use a policy that allows the computer to authenticate using the computer record, which allows it to be connected to allow the user to logon/change expired password.

Really, I just want to know what my options here are. How do we get a pre-login type account setup? I understand there used to be a way with configurator, but we can't seem to replicate. We run many different versions of OSX in our enviornment. Approximately 5000 Macs, all joined to our domain.

Ideally we would like a 1-size fits all method, but we are not against doing it a more challenging way for the sake of reliable connectivity. Originally our var suggested we might be able to generate a cert and use that for connecting the Macs, but we want to be able to tie the authentication, once a user is logged in, to the user. (Computers exchange hands faster than we can keep up, we are a school district and assets are transferred randomly.) If this is not possible, then we need a method to at least identify differing computers.


We run 6.5.0.3 on a Master/Local setup.
We have Clearpass 6.6.2
Running AP 315/314

---

Login Profile:  https://ntsystems.it/post/joining-wifi-before-login-on-mac-os-x-108