- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
03-09-2017 10:21 AM
I am not 100% certain how to even search for this information, and my local var doesn't have a great answer for me.
How can I get a domain joined Mac to authenticate prior to login? Our problem happens when a user has a password expire, they can no longer connect to the wireless.
On our windows side, we use a policy that allows the computer to authenticate using the computer record, which allows it to be connected to allow the user to logon/change expired password.
Really, I just want to know what my options here are. How do we get a pre-login type account setup? I understand there used to be a way with configurator, but we can't seem to replicate. We run many different versions of OSX in our enviornment. Approximately 5000 Macs, all joined to our domain.
Ideally we would like a 1-size fits all method, but we are not against doing it a more challenging way for the sake of reliable connectivity. Originally our var suggested we might be able to generate a cert and use that for connecting the Macs, but we want to be able to tie the authentication, once a user is logged in, to the user. (Computers exchange hands faster than we can keep up, we are a school district and assets are transferred randomly.) If this is not possible, then we need a method to at least identify differing computers.
We run 6.5.0.3 on a Master/Local setup.
We have Clearpass 6.6.2
Running AP 315/314
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Macbook, domain joined, pre-logon 802.1x authentication
03-09-2017 10:42 AM
You'd want to use a log in window profile.
| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Macbook, domain joined, pre-logon 802.1x authentication
03-09-2017 11:14 AM
Does that work prior to the user logging in? Is it passing their user credentials or the computer? both?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Macbook, domain joined, pre-logon 802.1x authentication
03-09-2017 11:16 AM
| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Macbook, domain joined, pre-logon 802.1x authentication
03-09-2017 11:21 AM
@irkednet wrote:
I am not 100% certain how to even search for this information, and my local var doesn't have a great answer for me.
How can I get a domain joined Mac to authenticate prior to login? Our problem happens when a user has a password expire, they can no longer connect to the wireless.
On our windows side, we use a policy that allows the computer to authenticate using the computer record, which allows it to be connected to allow the user to logon/change expired password.
Really, I just want to know what my options here are. How do we get a pre-login type account setup? I understand there used to be a way with configurator, but we can't seem to replicate. We run many different versions of OSX in our enviornment. Approximately 5000 Macs, all joined to our domain.
Ideally we would like a 1-size fits all method, but we are not against doing it a more challenging way for the sake of reliable connectivity. Originally our var suggested we might be able to generate a cert and use that for connecting the Macs, but we want to be able to tie the authentication, once a user is logged in, to the user. (Computers exchange hands faster than we can keep up, we are a school district and assets are transferred randomly.) If this is not possible, then we need a method to at least identify differing computers.
We run 6.5.0.3 on a Master/Local setup.
We have Clearpass 6.6.2
Running AP 315/314
Login Profile: https://ntsystems.it/post/joining-wifi-before-login-on-mac-os-x-108
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Macbook, domain joined, pre-logon 802.1x authentication
03-09-2017 11:43 AM
Can is pass computer account? I am worried about relying on user crednetials because when a password expires, they are no longer able to connect to wifi, so they are not able to change their password. (without hardwire)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
03-09-2017 11:45 AM
You could try using both system and user level configuration profiles, but it’s not something I’ve had a chance to test.
| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Macbook, domain joined, pre-logon 802.1x authentication
03-09-2017 11:52 AM
I'll give it a shot. I think between you (cappalli) and cjoseph I got some information to go on. I think it might be all that is needed to make this work.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Macbook, domain joined, pre-logon 802.1x authentication
09-30-2017 05:53 AM
Hi,
Have you had any luck with this as yet. I'm very keen to bring our Macs inline with our windows PC's in terms of pre-logon wireless connectivity and authentication via machine as opposed to account name.
Rich
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Macbook, domain joined, pre-logon 802.1x authentication
09-30-2017 07:09 AM
| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator