Wireless Access

We have been working on getting our Mac to do Machine Authentication on our wireless.  So far we have had some great success using profile manager.  The "Use Directory Authentication" check box is not formatting the username of the machine.  We are using a Script to fix the issue, before installing the profile.  How are other people getting machine authentication working on Mac.

Wow, I would love to hear more about how youre doing this. I've been searching for a solution to machine auth and OS X.

You're the first person I've heard that says they have a solution.

Is it actually doing "machine authentication" or user auth by binding the macbook to the domain? I know you can join OS X to a domain, but I've never seen machine authentication work even when the Mac joined to the domain shows up as a Domain Computer in Active Directory.

We created 2 profiles with Profile manager one for joining to the domain ( and other stuff our Mac administrator wants to have on the Mac)  and a second one for WIFI. We also have a small Bash script that is needed to fix Macs bad formatting of the machine user name and password.

Once the DeployStudio is done imaging the Computer, the script is run.

- First the Domain .mobileconfig is installed.

- Get the machine creds from the Keychain ( under the Active Directory section )

- Put the machine creds into the second WIFI .mobileconfig

- install the WIFI .mobileconfig

Delete the profiles form the computer ( security reason on this one)

Done!

Hi Overclocked,

We are looking to accomplish the same thing with our mac systems. Could you provide a bit more detail on the  bash script?

Thank you.

Great thread.

The way I setup machine authentication (domain computer) on macs at my company is using the System Keychain /Active Directory/(Your Domain) login credentials.

If you double click the keychain, the login for username/password is the Account: and check the box for Show password which usually shows some gibberish.

So when I connecting to my corporate SSID, I use the information above.

Only problem is that once every so often, the /Active Directory/(Your Domain) system keychain password changes. So users have to re-enter the new password when connecting to the SSID.

Overclocked, do you have this problem too?

For the AD password change we put the computer into an OU that doesn't update the machine password.   I have not found an automatic way to keep the password up to date, yet.  Pulling the password out or the keychain and putting it into the .profile, will work but not convenient.

Here is the bash script that we use

=======================================================================================
#The following script modifies two Lion Server profiles (.mobileconfig).
#- Modifies the domain profile to contain a proper AD computer name (using hyphens 
#  instead of the default underscores)
#
#- Extracts the computers machine password from the Security keychain.  This is added
#  after being bound to the domain.
#
#- Modifies the WiFi script to contain a properly formatted computer name 
#  ("host/computername.domain" as per MSCHAPv2) and the extracted machine password
#
#  written by BvS, 2012-07-06,  comments wifi@humber.ca

#!/bin/bash
_domainProfile="/Users/Shared/Settings_for_HUMBER.ORG_Admin.mobileconfig"
_wifiProfile="/Users/Shared/Settings_for_HUMBER.ORG_Admin_Wifi.mobileconfig"
_compName=$(scutil --get LocalHostName)

#replace our computername placeholder with actual computer name in the domain profile
sed -i "" -e "s/CN_PLACEHOLDER/${_compName}/" $_domainProfile

#install the domain profile
/usr/bin/profiles -I -F $_domainProfile

#extract the machine password from the security keychain
security dump-keychain -d /Library/Keychains/System.keychain | split -a2 -p "keychain:" - /tmp/part_
  _fileName=$( grep -l -e "Active Directory" /tmp/part_* )
  _unpw=$( tail -n1 ${_fileName} | tee ${_fileName})
  _unpw=$( cut -b 2-$((${#unpw}-1)) ${_fileName})

#replace our username and userpassword placeholders with actual values
sed -i "" -e "s/UN_PLACEHOLDER/host\/${_compName}.humber.org/" $_wifiProfile
sed -i "" -e "s/UNPW_PLACEHOLDER/${unpw}/" $_wifiProfile

#install the modified profile
/usr/bin/profiles -I -F $_wifiProfile

#clean up files
srm $_domainProfile
srm $_wifiProfile
srm /tmp/part_*