Jamf Nation Community

You never used to be able to have usernames that start with a number. If it's been allowed, I'd personally avoid it. You may wish to re-think.

The whole idea would be to have a machine use this account for MAC address bypass. The way the sys admins have set this up is to have the MAC address as user in AD then radius would allow machine into correct VRF.

As we do not use certificate based 8021x wired authentication I am finding it very difficult to get it working just using PEAP as the radius server is dropping the authentication.

1 of the options I want to put forward is to have the labs build with Casper, grab the MAC address and create an AD account.

I would love to be able to re-think but I have a requirement for Machine based authentication so machines are not sitting in a quarantine VRF.

Are you confusing usernames with computer names?

Let me put in another way. If you want mac address user/password in AD to allow access to your network you probably don't want to allow a mechanism that allows client machines to do this.

You'd probably want to script this AD server side and pass a list of mac addresses to the server.

Alternatively use certificates.

@sean nope, not confusing usernames with computer names, I need to have a MAC address as a User in AD.

As the mechanism for adding would be a static group in Casper it would not be that difficult to manage.

I will test some dscl commands to see what happens.

If you use a domain admin account with relevant permissions to edit AD, then yes you can script this. That will involve a username and password in clear text that has this level of permission to edit your AD! Is the cost of the security of your AD worth the gain of your wifi security?

This is why I suggested doing a script server side and use Casper to export the mac addresses to pass to the script on the server.

Of course this doesn't prevent access by mac address spoofing, which is why certificates are a better option.