You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Matt_nz_Karamu
Matt_nz_Karamu Author
User level: Level 1
8 points

802.1x authenticate computer only

Hi all,


I have an 802.1x network at work (AD Domain) and I want to use certificates (TLS). I can get Machine/computer certificates on OSX, but I only want to use computer authentication.


For those who know Active Directory, its the equivalent GPO setting called "Authentication Mode" which is usually set to "User or Computer Authentication" (default), but I want "Computer Authentication"


Can 802.1x on OSX behave this way? - I have a 10.8 server but nothing in Profile Manager to indicate this setup.


Cheers,


Matt

Posted on Oct 14, 2012 10:15 PM

Reply
3 replies
User profile for user: PingCrowley
PingCrowley
User level: Level 1
4 points

Jun 16, 2017 8:51 AM in response to rb8475

Randy,


I know this post is old, but I stumbled across it while attempting something similar. We used third party CA for certificates, so that limited us a bit regarding the ability to use the enterprise CA as noted in other comments. Every time we deployed PEAP profile via MDM we'd get prompted for creds. I pulled the machine account creds from keychain and it would grant access, but as you noted, you'd have to keep doing that every time the creds changed.


According to apple doc (Best Practices for Integrating with Active Directory), you can configure the machine to never change it's password. I'm not saying it is a good idea, but it might provide an option to consider. We only have one or two macs to worry about, so it might be an option for us. Furthermore, I'm wondering about using our management mac mini creds as a type of "service account" to push in a profiles to the staff macs that need 802.1x wireless. Haven't tested yet, but might give it a try.


From the document:

Computer object password interval When a Mac system is bound to Active Directory, it sets a computer account password that’s then stored in the System keychain. This computer account password is automatically changed by the client.


The default password interval is every 14 days, but you can use the Directory payload or dsconfigad command-line tool to set any interval that your policy requires. Setting the value to 0 disables automatic changing of the account password:


dsconfigad -passinterval 0



http://training.apple.com/pdf/Best_Practices_for_Integrating_OS_X_with_Active_Di rectory.pdf

Reply
User profile for user: rb8475
rb8475
User level: Level 1
0 points

May 16, 2013 1:23 PM in response to Matt_nz_Karamu

Hi Matt,

I am trying to accomplish the same thing here. I have found a good article that gives instructions on how to almost get this going for 10.8, but was more for 10.7.


http://revolutionwifi.blogspot.com/2012/02/mac-os-x-lion-creating-wi-fi-8021x.ht ml


Now you can get this to work and log in as the machine's active directory account, if you create a profile in configurator, export it (Without signing it, because you invalidate it when you edit it if it is signed) and then modify it like the author states in the comments. Here are the modifications...

============================

"Starting the line immediately below the SSID_STR key’s <string> value, add this:

<key>SetupModes</key>

<array>

<string>System</string>

</array>

Insert these lines immediately above the bottom-most PayloadType key line:

<key>PayloadScope</key>

<string>System</string>"

===================================

Now the issue that I am trying to get around. Once I join my 10.8 computer to active directory, I can get the machine account name and password out of Keychain Access. So I put that information in when I am prompted when installing the .mobileconfig file on the computer. See the attached image.

User uploaded file

Then the computer attaches to the wireless network as itself with no problem. I can then log into the computer as a network user that has never before logged into the computer. Happy happy, joy joy.


So my question is. Does anyone know how to get the computer to automatically try to attach using it's active directory account info stored in Keychain Access, without having to manually input them? Because when the password on the computers machine account in AD changes the computer will no logger be able to attach to the wireless network as itself.


Thanks in advance for any help.


-Randy


Message was edited by: rb8475

Reply
User profile for user: keithfromvirginia beach
keithfromvirginia beach
User level: Level 1
20 points

Jun 13, 2013 5:52 AM in response to Matt_nz_Karamu

Yes this is possible. Below are the basic steps:

In profile manager:

  1. Configure an AD Certificate payload that requests a machine certificate from your AD CA. Subject Name format of cert is Common Name, Alternate subject is UPN and application policy set to client authentication.
  2. Add Certficate payload that contains your CA cert or certs for trust.
  3. Configure a Network payload with TLS selected, Identity Certificate drop down select the AD Payload you setup, and under trust select the servers you want to trust
  4. push settings.


In AD:

  1. Configure NPS Connection Policy to use certificate or smart card and then select the proper cert (for mutual authentication.)
  2. Set your Network policy with resrtrictions such as computer groups etc.
  3. Optionally you can assign VLAN through NPS too.


Goodluck

Reply

802.1x authenticate computer only

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up