Security

Reply
Contributor II

Macbook, domain joined, pre-logon 802.1x authentication

I am not 100% certain how to even search for this information, and my local var doesn't have a great answer for me.

 

How can I get a domain joined Mac to authenticate prior to login? Our problem happens when a user has a password expire, they can no longer connect to the wireless.

 

On our windows side, we use a policy that allows the computer to authenticate using the computer record, which allows it to be connected to allow the user to logon/change expired password.

Really, I just want to know what my options here are. How do we get a pre-login type account setup? I understand there used to be a way with configurator, but we can't seem to replicate. We run many different versions of OSX in our enviornment. Approximately 5000 Macs, all joined to our domain.

Ideally we would like a 1-size fits all method, but we are not against doing it a more challenging way for the sake of reliable connectivity. Originally our var suggested we might be able to generate a cert and use that for connecting the Macs, but we want to be able to tie the authentication, once a user is logged in, to the user. (Computers exchange hands faster than we can keep up, we are a school district and assets are transferred randomly.) If this is not possible, then we need a method to at least identify differing computers.


We run 6.5.0.3 on a Master/Local setup.
We have Clearpass 6.6.2
Running AP 315/314

Guru Elite

Re: Macbook, domain joined, pre-logon 802.1x authentication

You'd want to use a log in window profile.

 

Screen_Shot_2017-03-09_at_1_40_33_PM.jpg


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Macbook, domain joined, pre-logon 802.1x authentication

Does that work prior to the user logging in? Is it passing their user credentials or the computer?  both?

Guru Elite

Re: Macbook, domain joined, pre-logon 802.1x authentication

Yes, the user’s credentials will be passed to the network first, then to the authenticating domain controller.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: Macbook, domain joined, pre-logon 802.1x authentication


irkednet wrote:

I am not 100% certain how to even search for this information, and my local var doesn't have a great answer for me.

 

How can I get a domain joined Mac to authenticate prior to login? Our problem happens when a user has a password expire, they can no longer connect to the wireless.

 

On our windows side, we use a policy that allows the computer to authenticate using the computer record, which allows it to be connected to allow the user to logon/change expired password.

Really, I just want to know what my options here are. How do we get a pre-login type account setup? I understand there used to be a way with configurator, but we can't seem to replicate. We run many different versions of OSX in our enviornment. Approximately 5000 Macs, all joined to our domain.

Ideally we would like a 1-size fits all method, but we are not against doing it a more challenging way for the sake of reliable connectivity. Originally our var suggested we might be able to generate a cert and use that for connecting the Macs, but we want to be able to tie the authentication, once a user is logged in, to the user. (Computers exchange hands faster than we can keep up, we are a school district and assets are transferred randomly.) If this is not possible, then we need a method to at least identify differing computers.


We run 6.5.0.3 on a Master/Local setup.
We have Clearpass 6.6.2
Running AP 315/314


Login Profile:  https://ntsystems.it/post/joining-wifi-before-login-on-mac-os-x-108

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II

Re: Macbook, domain joined, pre-logon 802.1x authentication

Can is pass computer account? I am worried about relying on user crednetials because when a password expires, they are no longer able to connect to wifi, so they are not able to change their password. (without hardwire)

Guru Elite

Re: Macbook, domain joined, pre-logon 802.1x authentication

Yes, but you’d lose the user identity.

You could try using both system and user level configuration profiles, but it’s not something I’ve had a chance to test.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Macbook, domain joined, pre-logon 802.1x authentication

I'll give it a shot. I think between you (cappalli) and cjoseph I got some information to go on. I think it might be all that is needed to make this work.

New Contributor

Re: Macbook, domain joined, pre-logon 802.1x authentication

Hi,

 

Have you had any luck with this as yet. I'm very keen to bring our Macs inline with our windows PC's in terms of pre-logon wireless connectivity and authentication via machine as opposed to account name.

 

Rich

Guru Elite

Re: Macbook, domain joined, pre-logon 802.1x authentication

You can't do machine + user, but machine auth only is possible by sending a configuration profile down from your EMM solution.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: