Wireless Access

last person joined: 42 minutes ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Machine Authentication and Mac Lion

  • 1.  Machine Authentication and Mac Lion

    Posted Jul 16, 2012 12:19 PM

    We have been working on getting our Mac to do Machine Authentication on our wireless.  So far we have had some great success using profile manager.  The "Use Directory Authentication" check box is not formatting the username of the machine.  We are using a Script to fix the issue, before installing the profile.  How are other people getting machine authentication working on Mac.

     

     



  • 2.  RE: Machine Authentication and Mac Lion

    Posted Jul 21, 2012 07:13 PM

    Wow, I would love to hear more about how youre doing this. I've been searching for a solution to machine auth and OS X.

     

    You're the first person I've heard that says they have a solution.

     

    Is it actually doing "machine authentication" or user auth by binding the macbook to the domain? I know you can join OS X to a domain, but I've never seen machine authentication work even when the Mac joined to the domain shows up as a Domain Computer in Active Directory.



  • 3.  RE: Machine Authentication and Mac Lion

    Posted Jul 31, 2012 09:59 AM

    We created 2 profiles with Profile manager one for joining to the domain ( and other stuff our Mac administrator wants to have on the Mac)  and a second one for WIFI. We also have a small Bash script that is needed to fix Macs bad formatting of the machine user name and password.

     

    Once the DeployStudio is done imaging the Computer, the script is run.

     

    - First the Domain .mobileconfig is installed.

    - Get the machine creds from the Keychain ( under the Active Directory section )

    - Put the machine creds into the second WIFI .mobileconfig

    - install the WIFI .mobileconfig

     

    Delete the profiles form the computer ( security reason on this one)

     

    Done!

     

    Capture Computer in machine role.PNG

     Capture Computer in Auth role.PNG

     

     



  • 4.  RE: Machine Authentication and Mac Lion

    Posted Oct 18, 2012 12:14 PM

    Hi Overclocked,

     

    We are looking to accomplish the same thing with our mac systems. Could you provide a bit more detail on the  bash script?

     

    Thank you.



  • 5.  RE: Machine Authentication and Mac Lion

    Posted Oct 25, 2012 01:49 PM

    Great thread.

     

    The way I setup machine authentication (domain computer) on macs at my company is using the System Keychain /Active Directory/(Your Domain) login credentials.

     

    If you double click the keychain, the login for username/password is the Account: and check the box for Show password which usually shows some gibberish.

     

    So when I connecting to my corporate SSID, I use the information above.

     

    Only problem is that once every so often, the /Active Directory/(Your Domain) system keychain password changes. So users have to re-enter the new password when connecting to the SSID.

     

    Overclocked, do you have this problem too?

     

     



  • 6.  RE: Machine Authentication and Mac Lion

    Posted Nov 09, 2012 01:33 PM

    For the AD password change we put the computer into an OU that doesn't update the machine password.   I have not found an automatic way to keep the password up to date, yet.  Pulling the password out or the keychain and putting it into the .profile, will work but not convenient.

     

    Here is the bash script that we use

     

    =======================================================================================
    #The following script modifies two Lion Server profiles (.mobileconfig).
    #- Modifies the domain profile to contain a proper AD computer name (using hyphens 
    #  instead of the default underscores)
    #
    #- Extracts the computers machine password from the Security keychain.  This is added
    #  after being bound to the domain.
    #
    #- Modifies the WiFi script to contain a properly formatted computer name 
    #  ("host/computername.domain" as per MSCHAPv2) and the extracted machine password
    #
    #  written by BvS, 2012-07-06,  comments wifi@humber.ca
    
    #!/bin/bash
    _domainProfile="/Users/Shared/Settings_for_HUMBER.ORG_Admin.mobileconfig"
    _wifiProfile="/Users/Shared/Settings_for_HUMBER.ORG_Admin_Wifi.mobileconfig"
    _compName=$(scutil --get LocalHostName)
    
    #replace our computername placeholder with actual computer name in the domain profile
    sed -i "" -e "s/CN_PLACEHOLDER/${_compName}/" $_domainProfile
    
    #install the domain profile
    /usr/bin/profiles -I -F $_domainProfile
    
    #extract the machine password from the security keychain
    security dump-keychain -d /Library/Keychains/System.keychain | split -a2 -p "keychain:" - /tmp/part_
      _fileName=$( grep -l -e "Active Directory" /tmp/part_* )
      _unpw=$( tail -n1 ${_fileName} | tee ${_fileName})
      _unpw=$( cut -b 2-$((${#unpw}-1)) ${_fileName})
    
    #replace our username and userpassword placeholders with actual values
    sed -i "" -e "s/UN_PLACEHOLDER/host\/${_compName}.humber.org/" $_wifiProfile
    sed -i "" -e "s/UNPW_PLACEHOLDER/${unpw}/" $_wifiProfile
    
    #install the modified profile
    /usr/bin/profiles -I -F $_wifiProfile
    
    #clean up files
    srm $_domainProfile
    srm $_wifiProfile
    srm /tmp/part_*