802.1x authenticate computer only

Randy,

I know this post is old, but I stumbled across it while attempting something similar. We used third party CA for certificates, so that limited us a bit regarding the ability to use the enterprise CA as noted in other comments. Every time we deployed PEAP profile via MDM we'd get prompted for creds. I pulled the machine account creds from keychain and it would grant access, but as you noted, you'd have to keep doing that every time the creds changed.

According to apple doc (Best Practices for Integrating with Active Directory), you can configure the machine to never change it's password. I'm not saying it is a good idea, but it might provide an option to consider. We only have one or two macs to worry about, so it might be an option for us. Furthermore, I'm wondering about using our management mac mini creds as a type of "service account" to push in a profiles to the staff macs that need 802.1x wireless. Haven't tested yet, but might give it a try.

From the document:

Computer object password interval When a Mac system is bound to Active Directory, it sets a computer account password that’s then stored in the System keychain. This computer account password is automatically changed by the client.

The default password interval is every 14 days, but you can use the Directory payload or dsconfigad command-line tool to set any interval that your policy requires. Setting the value to 0 disables automatic changing of the account password:

dsconfigad -passinterval 0

http://training.apple.com/pdf/Best_Practices_for_Integrating_OS_X_with_Active_Di rectory.pdf

Hi Matt,

I am trying to accomplish the same thing here. I have found a good article that gives instructions on how to almost get this going for 10.8, but was more for 10.7.

http://revolutionwifi.blogspot.com/2012/02/mac-os-x-lion-creating-wi-fi-8021x.ht ml

Now you can get this to work and log in as the machine's active directory account, if you create a profile in configurator, export it (Without signing it, because you invalidate it when you edit it if it is signed) and then modify it like the author states in the comments. Here are the modifications...

============================

"Starting the line immediately below the SSID_STR key’s <string> value, add this:

<key>SetupModes</key>

<array>

<string>System</string>

</array>

Insert these lines immediately above the bottom-most PayloadType key line:

<key>PayloadScope</key>

<string>System</string>"

===================================

Now the issue that I am trying to get around. Once I join my 10.8 computer to active directory, I can get the machine account name and password out of Keychain Access. So I put that information in when I am prompted when installing the .mobileconfig file on the computer. See the attached image.

Then the computer attaches to the wireless network as itself with no problem. I can then log into the computer as a network user that has never before logged into the computer. Happy happy, joy joy.

So my question is. Does anyone know how to get the computer to automatically try to attach using it's active directory account info stored in Keychain Access, without having to manually input them? Because when the password on the computers machine account in AD changes the computer will no logger be able to attach to the wireless network as itself.

Thanks in advance for any help.

-Randy

Message was edited by: rb8475

Yes this is possible. Below are the basic steps:

In profile manager:

1. Configure an AD Certificate payload that requests a machine certificate from your AD CA. Subject Name format of cert is Common Name, Alternate subject is UPN and application policy set to client authentication.
2. Add Certficate payload that contains your CA cert or certs for trust.
3. Configure a Network payload with TLS selected, Identity Certificate drop down select the AD Payload you setup, and under trust select the servers you want to trust
4. push settings.

In AD:

1. Configure NPS Connection Policy to use certificate or smart card and then select the proper cert (for mutual authentication.)
2. Set your Network policy with resrtrictions such as computer groups etc.
3. Optionally you can assign VLAN through NPS too.

Goodluck