802.1X on a Wired Network

in General Discussion edited January 2014
I am hoping someone here can help me, as Apple themselves have not...

I work in an I.T. department for a medium-sized school district in Alberta, Canada (10,000 students, 1,000 employees). We are currently a mixed computing environment, with 60% of our desktop computers running XP SP2, and the remaining 40% running OS X (10.3, 10.4, and a smattering of 10.5). Overall we have about 2,200 desktop/notebook computers. Our district employs a single-domain W2K structure, with a DC in each of our sites.

We are currently moving our district in the direction to allow staff and students to bring in their own computers onto the network. To do this, however, we have had to implement technology at the port level that enables only port 80 and 443 by default. The only way a user can have full network access is through 802.1x authentication.

On our PCs this works like a charm. The user's authentication credentials for the domain are passed through to the RADIUS server and without any delay noticable from the end user they are on the network as they normally would be.

On our Macs, unfortunately, not so good. We currently use ADmitMac (mostly version 3, but we have been testing ADmitMac 4 as well), and the folks at Thursby do not support 802.1x authentication on a wired network right now (they do, on the wireless side). Basically we have found that the built-in 802.1x configuration in the Internet Config application does not "stick" from user to user. We can configure the settings as a local administrator (even as root), and select the option to pass the 802.1x authentication to the login window, but it just does not work using ethernet. As soon as the computer is logged out, after the 802.1x configuration, the next user is unable to get network access.

I should clarify, the user is able to authenticate and login to the computer, the Mac is communicating with the port, which in turn is communicating with the RADIUS server, but when the user logs in, the port remains at "guest access", it does not flip to enterprise user. This means no home directory folder, no mounted volumes, just port 80/443. The user must manually launch Internet Connect and re-enter their authentication credentials in order to access the network.

If anyone out there has successfully integrated Macs into Active Directory AND are using 802.1x certificates to authenticate users and computers, I look forward to reading your suggestions. Thanks.
Sign In or Register to comment.