I was wondering if any one has had any luck setting this up?
Basically were trying to get some MacBooks to always be logged on to an SSID with a config profile. That part works. We then want users to be able to log in using their Active directory logins, mount their home drives etc and give us visibility of who’s logging into the machine.
I already have the configuration profile set up so the mac is permanently connected to our chosen SSID. However, when you authenticate with your user details, rather than log on via AD (As we’d expect from an Ethernet connected and bound device.) It takes over the wireless log in and log’s in using the details from the user on the wireless.
Because of the switch in user details the wireless signal drops and then reappears meaning the authentication intermittently fails. On a good day it’ll work like a dream, I have managed to login 10 times in a row. On a bad day it takes 3 attempts to get in which isn’t great.
Am I right in thinking if the AD profile is set up correctly the machine will stay logged into the wifi with the user settings already configured in the network payload? Then the AD profile will handle logging into the machine and mount the home area etc?
Each time we attempt to install the AD config profile it fails. We get:
The 'Active Directory Certificate' payload could not be installed. The certificate request failed. Make sure that RPC is enabled on the server.
And
-319 (The 'Active Directory Certificate' payload could not be installed. The certificate request failed. Make sure that RPC is enabled on the server.)
RPC is 100% enabled otherwise AD wouldn’t be working.
I have been following this post:
https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/
AD server side we have followed a jamf nation discussion where they recommended doing the following:
“Make the OS X Machine authentication to RADIUS as well as Loginwindow authentication
1) First we have to download the CA certificate chain from Active Directory Certificate Service
Go to: http://Your-AD-Server/certsrv/ and click "Download a CA certificate, certificate chain, or CRL"
2) Click "Download CA certificate chain" It will download a cert chain called "certnew.p7b"
3) Double-click the "certnew.p7b" to get it to "Keychain Access"
4) Double-click the imported Certificate (e.g- AD-CA1)
5) Expand "Trust"
6) Select "Alway Trust" for "When using this certificate" to trust this cert for all
7) Right-click on the certificte (AD-CA1) and select Export..
8) Export as (.cer) certificate and Save to Desktop
9) Go to Keychain and select Thawte Premium Server CA (this is only in our environment to trust the eduroam certificate so change settings to suite your Wi-Fi settings)
10) Export the .cer Certificate file to Desktop
11) Then we have to Create a new AD machine certificate template on the AD cert server . Easiest way of doing this is to duplicate the Windows Machine (named WorkstationAuthentication in our environment) template and name it for Mac
12) Right -click and select "Duplicate Template"
13) Select "Windows Server 2003 Enterprise"
14) Then Edit the Template as in the next step
15)
(i)Name it like "OSX Workstation Certificate" this will automatically create the Template Name without spaces. You should use the name without spaces in "AD Certificate" payload in JSS.
(ii) In the "Subject Name" field, tick "User principal name (UPN)" and untick all others for alternate subject name.
(iii) In the "Security" field, make sure you have privileges for Domain Computers to "Enroll" and "Read"
Even though I have followed the above post along with many other articles, we keep going round in circles and are getting nowhere fast. Is this something anyone out there has configured? If so I’d welcome any help and guidance.
We are using WPA2 enterprise 802.1x configuration.
Thank you in advance.
