Apple Problems - 802.1x and Wireless (Shaky Login Window)

chris_morelock
New Contributor II

Just wanted to start out by saying that I am not looking for a fix, because according to Apple there is no fix. I am just curious if anyone else is seeing this problem or if we are the only ones.

Problem: I work for a school district and we have over 11k macs. Over the summer we have implemented a secure password policy which forces the students to change their (AD) password when they login to the Mac laptops for the first time.

At first login, ONLY ON THE WIRELESS, the login window shakes (incorrect login) most of the time. Sometimes is works great, but most of the time it doesn't. I repeat, this is only on the wireless. If you plug in the laptops to the network, they work fine on the first try.

Apples Solution: I have a nice expensive "Select Support Agreement" with Apple that gives me top tier enterprise support with them so I opened a ticket. I was then told that this is expected behavior and they were able to reproduce the problem on multiple OS versions in their lab.

Basically the only fix that they have given us is that we have to disable to password change requirement in AD (not possible) or plug the computers in with ethernet cable x 11,000 for the first login (not possible).

Moral of the story, I find it very hard to believe that Apple does not support a standard 802.1x password change procedure on the wireless. They then escalated my case to an even higher level of Apple engineers and they were also able to reproduce the issue and told me they would submit an impact report or whatever to try and get it fixed at some point. This is so frustrating.

Anyone else seen similar behavior in your environment? Any feedback would be appreciated!

11 REPLIES 11

chris_morelock
New Contributor II

Bump

chris_morelock
New Contributor II

Nobody?

mnaylor
New Contributor

Are you doing your 802.1x using a mobileconfig profile?

chris_morelock
New Contributor II

Yes I am.

Nix4Life
Valued Contributor

as @mnaylor mentioned, post your 802.1x profile. Sounds like you are caught in a login loop.

sdagley
Esteemed Contributor II

@chris.morelock The problem sounds like you're authenticating the machines with the student's credentials, and if they're set to require a password change that doesn't work. Try setting your 802.1x configuration profile to enable "Use Directory Authentication" and disable "Use as Login Window configuration". This will allow your laptops to connect to the wireless network using the machine's AD credentials for 802.1x, and switch to the user's credentials once they're logged in (and changed their password if needed).

chris_morelock
New Contributor II

I am going to give this a shot. Thank you @sdagley

sdagley
Esteemed Contributor II

@chris.morelock Any luck? There's a new post in the thread 802.1x PEAP Ethernet AD settings that suggests there may be an issue with JSS created network configuration profiles, and using Profile Manager to create a .mobileconfig you package and deploy via a Policy is the workaround (the thread mentions Apple Configurator 2, but I think they meant Profile Manager for Mac settings)

chris_morelock
New Contributor II

Sorry for the delay. Yes! Changing to machine auth has fixed the problem. I cannot thank you enough for this suggestion. YOu figured out what Apple and Cisco could not! I owe ya a beer!

FastGM3
Contributor

When using machine authentication we lose the logged in user information in ClearPass. We want to be able to see the user's who are logged in and to which WAP they are on.

We get the user information in ClearPass when we select "Use a Login Window Authentication". However then users have to become familiar with a different login window because of the WiFi drop down AND new users logging in for the first time are not authenticating with AD on a previously bound machine as you described originally. Where they can authenticate as a new user if hard wired.

So my question here is; Is there any way to gather the logged in user information specifically in ClearPass, when using machine authentication?

I say specifically in ClearPass only because I know I can gather logged in user information with Jamf, but narrowing down which WAP on campus they are using in ClearPass would take some cross referencing.

TIA for any insight.

sdagley
Esteemed Contributor II

@FastGM3 This sounds like a question for Aruba (although someone else on JamfNation that's familiar with ClearPass may chime in). Depending on your organization's requirements for connecting devices to your network you may not want to have a machine connected without a logged in user. That's the policy for the org I'm with now, and machine auth is not allowed.