Access Policy with 802.1x profile on MacOS issue

brconflict
Here to help

Access Policy with 802.1x profile on MacOS issue

I'm troubleshooting an issue with with RADIUS AUTH, and the use of pushed 802.1x profiles.

 

We have a "shared" user/password that will use RADIUS IETF attributes to assign a user to specific VLANs, based on LDAP groups (behind the RADIUS). The Authentication, group assignment, etc. work fine, and the user is assigned the correct VLAN. After first entry, the user's 802.1x authentication is stored in the MacOS keychain (at the system level). It all works as we need. However...

We want to push the 802.1x profile with the included "shared" username/password to all users, and have them not ever be prompted for 802.1x login from the switch.

The 802.1x profile is pushed, and the MacOS keychain shows it stored there, again at the system level, not user level. When connecting to a wired Meraki switchport, the user is still prompted for the 802.1x login. The MacOS machine is prompted for the 802.1x credentials pushed from Meraki. It doesn't put this together that this prompt and the pushed profile are for the same thing. Any suggestions? The issue seems to be that the 802.1x profile is pushed to the system and not the user, which is what the Meraki switch requests.

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer.

 

In a Windows environment you have both user and machine credentials, and by default both are used.  First the machine one when the machine is first powered on, and then the user one when the user logs in.  That that user logs out and another user logs in then the user is 802.1x authenticated again.

 

In Windows you can also configure a policy to only do machine authentication.

 

It sounds to me you need an option like this for the Mac - machine only 802.1x authentication.

 

This forum post seems to be loosely related to your issue.

https://discussions.apple.com/thread/4433348?start=0&tstart=0

brconflict
Here to help

Actually, we need both. I need to authenticate the user and machine, but the user is more important.

So much effort was put into trying to sell us a Meraki solution, to the point that the features we wanted seemed trivial, and Meraki can handle pretty much anything we needed, in some way. But the results are that RADIUS or AD are the only two options--no LDAP, which I need most. But alas, we are doing other work to make the more old-school RADIUS work for us.

Get notified when there are additional replies to this discussion.