Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5110: Machine Based 802.1x Wifi (PEAP) is not automatically connected since OS X 10.9.3

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:44 AM

Applies to: Centrify DirectControl version 5.1.3 or above on Mac OS X 10.9.3 or above

Problem:

On Mac OS X 10.9.3 or above, credentials are prompted when connecting to machine based 802.1x (PEAP) Wi-Fi: 

 User-added image

This issue doesn't happen on Mac OS X 10.9.2 and below.


Cause:

On Mac OS X 10.9.2 or before, Apple used to store the machine password in System Keychain (/CentrifyDC).
In later OS X version (i.e. 10.9.3 or above), the location storing the machine password has been changed to somewhere else. This breaks the way Centrify obtains and passes the machine credentials to eapoclient for PEAP authentication.
 

Workaround:


1. Modify the current PEAP Wifi mobileconfig profile as below so that it does not use directory to authenticate. Attached is the sample profile for reference:

 
              i. Change:
                               <key>AuthenticationMethod</key>
              <string>directory</string>
 
               To:
                              <key>AuthenticationMethod</key>
              <string></string>
 
               ii. Remove these lines:
 
                               <key>OneTimeUserPassword</key>
              <false/>
              <key>SystemModeCredentialsSource</key>
              <string>ActiveDirectory</string>
              <key>UserName</key>
              <string></string>
              <key>UserPassword</key>
              <string></string>
 
2. Install the modified profile using Group Policy:


                 i. For Centrify DirectControl for Mac version 2014.1 (Mac agent version 5.2.0) or higher, use the policy below:

       Computer Configuration / Centrify Settings / Mac OS X Settings / Custom Settings / "Install MobileConfig Profiles"


                 (See Explain Tab for more information)
 
User-added image
           
                 ii. For Centrify DirectControl for Mac version below 2014.1 (Mac agent version below 5.2.0), please refer to KB-2554 for the steps to deploy the mobileconfig profile. 


3. Modify variable SSID in SetWifiPw.sh login script (Attached is sample login script for reference). This creates the password needed for the WiFi Access Point in the Keychain.


4. Mass deploy the SetWifiPw.sh login script via Group Policy with steps below:
 
========
i. Place the attached login script "SetWifiPw.sh" in AD: \\[domain]\SYSVOL\[domain]\scripts\ 

ii. Apply the group policy to mass deploy: 

User Configuration > Centrify Settings > Mac OS X Settings > Scripts > Specify login script

(Please make sure the login script name is "
SetWifiPw.sh" as the sample script. Please also make sure "Run with root user privileges" has been checked.) 

 
iii. Login as a AD user on Mac and then run "adgpupdate" in terminal. 

iv. Log out and log in again. User will be prompted to enter the login Keychain password of that user. 
========
 
User-added image
 
Note: This uses machine account and machine password for authentication. Since machine password will be changed in every 30 days, re-run this script when the machine password is changed. If you want to disable machine password change, please enable the following group policy:

       Computer Configuration /Centrify Settings /DirectControl Settings /Kerberos Settings/ Set password change interval
       Set password change interval (days) to 0

5. In Network Preferences -> Wi-Fi -> Advanced... -> Make sure the desired PEAP Access Point is selected as the most preferred.

Note: If AirPort still does not auto-connect to the most preferred Access Point, follow these steps:
 
   i.            Remove all the preferred networks
   ii.           Add the desired PEAP Access Point first
   iii.          Connect it once
   iv.          Re-add the rest of the Access Points you had before
    
Resolution: 
                             
This issue will be fixed in future release by locating the machine password in the correct location for PEAP Machine Authentication.
Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.