Applies to: Centrify DirectControl version 5.1.3 or above on Mac OS X 10.9.3 or above
Problem:
On Mac OS X 10.9.3 or above, credentials are prompted when connecting to machine based 802.1x (PEAP) Wi-Fi:
This issue doesn't happen on Mac OS X 10.9.2 and below.
Cause:
On Mac OS X 10.9.2 or before, Apple used to store the machine password in System Keychain (/CentrifyDC).
In later OS X version (i.e. 10.9.3 or above), the location storing the machine password has been changed to somewhere else. This breaks the way Centrify obtains and passes the machine credentials to eapoclient for PEAP authentication.
Workaround:
1. Modify the current PEAP Wifi mobileconfig profile as below so that it does not use directory to authenticate. Attached is the sample profile for reference:
i. Change:
<key>AuthenticationMethod</key>
<string>directory</string>
To:
<key>AuthenticationMethod</key>
<string></string>
ii. Remove these lines:
<key>OneTimeUserPassword</key>
<false/>
<key>SystemModeCredentialsSource</key>
<string>ActiveDirectory</string>
<key>UserName</key>
<string></string>
<key>UserPassword</key>
<string></string>
2. Install the modified profile using Group Policy:
i. For Centrify DirectControl for Mac version 2014.1 (Mac agent version 5.2.0) or higher, use the policy below:
Computer Configuration / Centrify Settings / Mac OS X Settings / Custom Settings / "Install MobileConfig Profiles"
(See Explain Tab for more information)
ii. For Centrify DirectControl for Mac version below 2014.1 (Mac agent version below 5.2.0), please refer to KB-2554 for the steps to deploy the mobileconfig profile.
3. Modify variable SSID in SetWifiPw.sh login script (Attached is sample login script for reference). This creates the password needed for the WiFi Access Point in the Keychain.
4. Mass deploy the SetWifiPw.sh login script via Group Policy with steps below:
========
i. Place the attached login script "SetWifiPw.sh" in AD: \\[domain]\SYSVOL\[domain]\scripts\
ii. Apply the group policy to mass deploy:
User Configuration > Centrify Settings > Mac OS X Settings > Scripts > Specify login script
(Please make sure the login script name is "SetWifiPw.sh" as the sample script. Please also make sure "Run with root user privileges" has been checked.)
iii. Login as a AD user on Mac and then run "adgpupdate" in terminal.
iv. Log out and log in again. User will be prompted to enter the login Keychain password of that user.
========
Note: This uses machine account and machine password for authentication. Since machine password will be changed in every 30 days, re-run this script when the machine password is changed. If you want to disable machine password change, please enable the following group policy:
Computer Configuration /Centrify Settings /DirectControl Settings /Kerberos Settings/ Set password change interval
Set password change interval (days) to 0
5. In Network Preferences -> Wi-Fi -> Advanced... -> Make sure the desired PEAP Access Point is selected as the most preferred.
Note: If AirPort still does not auto-connect to the most preferred Access Point, follow these steps:
i. Remove all the preferred networks
ii. Add the desired PEAP Access Point first
iii. Connect it once
iv. Re-add the rest of the Access Points you had before
Resolution:
This issue will be fixed in future release by locating the machine password in the correct location for PEAP Machine Authentication.
KB-9497: Apple Certificate Validation behavior change in OS X 10.12.4 (Apple bug #32222654)