Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1487
  • Last Modified:

We lost our "Mac" guy - Need to configure 802.1x wireless against mac clients.

Experts,

In our org, we have approx 20k win clients, and about 300-400 macs.  Unfortunately, our Mac guy decided to get a different job, so for those of us left behind, we've been attempting to play catch-up accross those systems.

So, aside from my disclaimer that I don't like them AT ALL (it takes the same amount of effort to manage such a small amount of macs we have, versus the 20k windows machines)...  Would somebody be able to point me in the right direction on configuring a wireless enterprise policy against them?

On our windows side, we  use group policy to deploy our enterprise wireless settings, and our PCs work absolutely wonderful with this scenario.  I have yet to be able to get any MACs to authenticate.  Mostly because of my lack of understanding on these things.

I have a few questions, mostly relating to ~how~ the macs support 802.1x - In our windows enviornment, our 802.1x is based against the machine itself.  The unit fires up and authenticates against our NPS server, which in turn allows it network access.  Since the newtwork is available at that point, everyone can utilize their AD accounts to log in.  I'm not seeing this is the case with the Mac clients, and every step of the way - it looks like it wants a username & password to be able to authenticate.

Please see the attached group policy report against our windows clients, and if possible, could somebody translate how we could get our group policy settings migrated over to the MAC world?  *We do use "Centrify", but I'm not seeing anything relatively close to being able to mimic the windows settings.


I'm willing to try out any suggestion, but please be patient as I implement anything, as I'd like to understand exactly what it is that we're going for, rather than copy/pasting a solution.  And I really do apologize in advance for my lack of understanding on these things... I haven't liked macs in the slightest since I first met them, but now it seems that they're slowing getting revenge against me.
GPOWireless.pdf
0
usslindstrom
Asked:
usslindstrom
4 Solutions
 
usslindstromAuthor Commented:
Thank you very much for the two links.  I've read them both and am getting a small picture about everything relating to Mac...

But, unfortunately, after following the documents - our Mac clients are still unable to authenticate.  I do believe that it's related to the fact our Windows units are authenticating the machine and allowing it access, prior to the user attempting to log in.

The mac authentication is requiring a username to connect to the wireless signal, of which we don't provide any.  You can see where this is getting confusing.

Even when I drop my domain credentials in the authentication portion (attempting to connect via the "AirPort", it tells me that it fails.
0
 
mtsdemoCommented:
have your wireless admin send you the 802.1X configuration profile.

Then open network preferences.
Click AirPort
Click Advanced
Under Wifi remove everything.
Click OK
Click Advanced
Click 802.1X
Drag the connection profile into the box.
Click ok

Connect.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
usslindstromAuthor Commented:
Unfortunately, in this case - I am the wireless admin.

I'd ask myself for the configuration profile, but people might think I talk to myself.  :)

Basically, where I'm stuck - is getting these blasted things to authenticate via machine name, NOT username for the 802.1x.  The Mac white-papers on 802.1x say it's entirely possible, but have no reference on how to actually get it implemented.

There are a few forums that guys are using %computername%$ in the username field, and report that it works, but we've tried it and are still stuck.

Any more assistance that can be provided would be VERY appreciated.
0
 
mtsdemoCommented:
I used the same method that strung posted and it works for me.
But I did have to clear all the saved networks from airport config.

Have you tried calling apple?
0
 
usslindstromAuthor Commented:
All, sorry for the late response - but thank you very much for assisting us with this.

I've learned quite a bit about the MACs in the last couple of days, and it's been entirely with the help of what you guys were trying to show me.

What we ended up doing in our case, was creating a wireless "service account" that is able to authenticate against the RADIUS servers.  We then created the Airport policy on a MAC, uploaded it to a localized web server (we were having some serious issues getting the MAC to connect to a network share without authenticating, so we decided to put the file on one of our intranet servers).  Once we did that, we created a small script that uses "curl" to grab the file and then "networksetup" that imports the profile into the local machine.  - Finally, we pushed the script package via CASPR to all of our 200 Mac units throughout the enterprise.

It sounds complicated, but that's only due to the fact that managing these stupid macs is absolutely a joke.  It's no wonder that many more enterprise agencies haven't really ever truly adopted these things yet.  It litterally takes the same ammount of effort to manage 200 Mac machines, as it does 18000 PCs in our organization.

In any case, sorry for the bias opinion...  I really do appreciate and thank you guys for helping us with this issue.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now