We lost our "Mac" guy - Need to configure 802.1x wireless against mac clients.

Posted on 2012-08-28
Last Modified: 2012-09-10

In our org, we have approx 20k win clients, and about 300-400 macs.  Unfortunately, our Mac guy decided to get a different job, so for those of us left behind, we've been attempting to play catch-up accross those systems.

So, aside from my disclaimer that I don't like them AT ALL (it takes the same amount of effort to manage such a small amount of macs we have, versus the 20k windows machines)...  Would somebody be able to point me in the right direction on configuring a wireless enterprise policy against them?

On our windows side, we  use group policy to deploy our enterprise wireless settings, and our PCs work absolutely wonderful with this scenario.  I have yet to be able to get any MACs to authenticate.  Mostly because of my lack of understanding on these things.

I have a few questions, mostly relating to ~how~ the macs support 802.1x - In our windows enviornment, our 802.1x is based against the machine itself.  The unit fires up and authenticates against our NPS server, which in turn allows it network access.  Since the newtwork is available at that point, everyone can utilize their AD accounts to log in.  I'm not seeing this is the case with the Mac clients, and every step of the way - it looks like it wants a username & password to be able to authenticate.

Please see the attached group policy report against our windows clients, and if possible, could somebody translate how we could get our group policy settings migrated over to the MAC world?  *We do use "Centrify", but I'm not seeing anything relatively close to being able to mimic the windows settings.

I'm willing to try out any suggestion, but please be patient as I implement anything, as I'd like to understand exactly what it is that we're going for, rather than copy/pasting a solution.  And I really do apologize in advance for my lack of understanding on these things... I haven't liked macs in the slightest since I first met them, but now it seems that they're slowing getting revenge against me.
Question by:usslindstrom
    LVL 53

    Assisted Solution

    LVL 5

    Author Comment

    Thank you very much for the two links.  I've read them both and am getting a small picture about everything relating to Mac...

    But, unfortunately, after following the documents - our Mac clients are still unable to authenticate.  I do believe that it's related to the fact our Windows units are authenticating the machine and allowing it access, prior to the user attempting to log in.

    The mac authentication is requiring a username to connect to the wireless signal, of which we don't provide any.  You can see where this is getting confusing.

    Even when I drop my domain credentials in the authentication portion (attempting to connect via the "AirPort", it tells me that it fails.
    LVL 3

    Assisted Solution

    have your wireless admin send you the 802.1X configuration profile.

    Then open network preferences.
    Click AirPort
    Click Advanced
    Under Wifi remove everything.
    Click OK
    Click Advanced
    Click 802.1X
    Drag the connection profile into the box.
    Click ok

    LVL 5

    Author Comment

    Unfortunately, in this case - I am the wireless admin.

    I'd ask myself for the configuration profile, but people might think I talk to myself.  :)

    Basically, where I'm stuck - is getting these blasted things to authenticate via machine name, NOT username for the 802.1x.  The Mac white-papers on 802.1x say it's entirely possible, but have no reference on how to actually get it implemented.

    There are a few forums that guys are using %computername%$ in the username field, and report that it works, but we've tried it and are still stuck.

    Any more assistance that can be provided would be VERY appreciated.
    LVL 3

    Assisted Solution

    I used the same method that strung posted and it works for me.
    But I did have to clear all the saved networks from airport config.

    Have you tried calling apple?
    LVL 40

    Accepted Solution

    LVL 5

    Author Closing Comment

    All, sorry for the late response - but thank you very much for assisting us with this.

    I've learned quite a bit about the MACs in the last couple of days, and it's been entirely with the help of what you guys were trying to show me.

    What we ended up doing in our case, was creating a wireless "service account" that is able to authenticate against the RADIUS servers.  We then created the Airport policy on a MAC, uploaded it to a localized web server (we were having some serious issues getting the MAC to connect to a network share without authenticating, so we decided to put the file on one of our intranet servers).  Once we did that, we created a small script that uses "curl" to grab the file and then "networksetup" that imports the profile into the local machine.  - Finally, we pushed the script package via CASPR to all of our 200 Mac units throughout the enterprise.

    It sounds complicated, but that's only due to the fact that managing these stupid macs is absolutely a joke.  It's no wonder that many more enterprise agencies haven't really ever truly adopted these things yet.  It litterally takes the same ammount of effort to manage 200 Mac machines, as it does 18000 PCs in our organization.

    In any case, sorry for the bias opinion...  I really do appreciate and thank you guys for helping us with this issue.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    If you are using Mac OS X and have a large number of login items set up in accounts, under system preferences, you may find that your computer is sluggish and unresponsive during startup until everything is done launching. Another problem that a…
    Deploystudio is a system which can be used to deploy OSX clients and servers within the small/medium or large business environments. The system is built onto of the OSX Server NetBoot system and uses images & workflows as its core assets. While work…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now