I am not 100% certain how to even search for this information, and my local var doesn't have a great answer for me.
How can I get a domain joined Mac to authenticate prior to login? Our problem happens when a user has a password expire, they can no longer connect to the wireless.
On our windows side, we use a policy that allows the computer to authenticate using the computer record, which allows it to be connected to allow the user to logon/change expired password.
Really, I just want to know what my options here are. How do we get a pre-login type account setup? I understand there used to be a way with configurator, but we can't seem to replicate. We run many different versions of OSX in our enviornment. Approximately 5000 Macs, all joined to our domain.
Ideally we would like a 1-size fits all method, but we are not against doing it a more challenging way for the sake of reliable connectivity. Originally our var suggested we might be able to generate a cert and use that for connecting the Macs, but we want to be able to tie the authentication, once a user is logged in, to the user. (Computers exchange hands faster than we can keep up, we are a school district and assets are transferred randomly.) If this is not possible, then we need a method to at least identify differing computers.
We run 6.5.0.3 on a Master/Local setup.
We have Clearpass 6.6.2
Running AP 315/314