Macbook/WPA2 enterprise help

[Dimas]

Hey guys so let me say a few things right off the bat. I am a networking student at my high school and I have a class called "PC support" which is pretty much a help desk for the whole school (imaging computers, adding to the domain, printer repairs, and lots of other goodies). 

 

Okay so here is the problem I've encountered. Recently our film students have been given new MacBook pros completely maxed out retina displays and all (sorry if I'm geeking out I just love tech) anyways the network administrator for the school recently made accounts for them in active directory it's all fine and dandy. We added them into the domain and while we are connected via Ethernet (thunder bolt adapter) like we do with normal Windows laptops for the school and when I log out I get the "other" users which allows me to log into the domain with my own personal credentials so I'm thinking it works fine and all but unfortunately that's not the case. When we disconnect it from the Ethernet it looses the "other" user as it should. So we log in as administrator on the local account and set up our wifi which is WPA2 Enterprise. However the wifi will work as long as I'm logged in as administrator in the MacBook. As soon as I log out of the account boom! I loose the wifi and therefore I cannot log in to the domain because I do not get the "other" account. I want to know if anyone has found a work around to this networking issue. I don't know it's not authenticating the enterprise account pre-login but it's very frustrating since we have a deadline for the laptops. FYI( we have other non enterprise networks in our school but those laptops aren't supposed to be used with them, they are strictly reserved for other devices) we need this issue to be fixed because I don't know if it's 802.1x related or if macs are just generally stubborn with that. 

 

They are are bran new MacBook pros running El Capitan 

 

thank you! and if you need more info I'll get back as soon as possible!  

 

PS. All laptops we add to the domain(Windows) receive a certificate that as soon as they step on to school grounds they connect to the hidden WPA2 Enterprise network. 

[ALwin]

Check the network sharing and profile settings on the MacBooks.  You just want to connect the MacBooks to the wifi right?

 

Another thing in OSX is that it organizes network profiles by connection type and wifi SSID.  So if you configured the IP address and DNS addresses while using an Ethernet connection, when you disconnect the Ethernet and move to wifi the IP address and DNS server values will not be copied over to the wifi profile.

 

This article might help if you are trying add network based user accounts.

https://support.apple.com/kb/PH18884?locale=en_US

[LittleCarrot]

23 minutes ago, Dimas said:

- snip -

Mac's don't integrate with Windows very well and vice versa

[ALwin]

17 minutes ago, mcraftax said:

Your going to run into a hell tons of problems with macs trying to use a windows system. You should have got windows machines and had vm of ios or osx or what ever. Oh and why would anyone want a mac of editing on? They could have had double the power/specs for half the price too.!!!!!!!!!! -confused-

Because as a portable workstation for video editing, photography and work with other types of visual arts, almost NOTHING beats a MacBook Pro.

 

Final Cut runs only on OSX, and it's a great video editing software.

[Dimas]

40 minutes ago, ALwin said:

Check the network sharing and profile settings on the MacBooks.  You just want to connect the MacBooks to the wifi right?

 

Another thing in OSX is that it organizes network profiles by connection type and wifi SSID.  So if you configured the IP address and DNS addresses while using an Ethernet connection, when you disconnect the Ethernet and move to wifi the IP address and DNS server values will not be copied over to the wifi profile.

 

This article might help if you are trying add network based user accounts.

https://support.apple.com/kb/PH18884?locale=en_US

I will try this and keep you posted about it, 

thank you for the quick reply buddy. 

 

I just hope it's not anything that can't be resolved. 

[ALwin]

Just now, Dimas said:

I will try this and keep you posted about it, 

thank you for the quick reply buddy. 

 

I just hope it's not anything that can't be resolved. 

I wasn't 100%  sure what you were trying to do, so I though maybe you were just trying to get the MacBooks connected to the network via wifi, or setup some type of network sharing or trying to add user accounts via a network (e.g. like what would be done in office environments where a central server provides user accounts to desktops connected on the network).

 

I'm not an expert on networking but I do know quite a bit about OSX, perhaps more so than most members on this forum.

[Dimas]

34 minutes ago, mcraftax said:

Your going to run into a hell tons of problems with macs trying to use a windows system. You should have got windows machines and had vm of ios or osx or what ever. Oh and why would anyone want a mac of editing on? They could have had double the power/specs for half the price too.!!!!!!!!!! -confused-

They are for film student that are constantly "on the go". Let me put my two cents into this.

 

I am a PC fanboy and I still need to handed to the MacBook Pro when it came to raw mobile power while keeping a low profile, sleek design, and at the same time keeping the whole package at a low weight.  

 

Paired up with Final Cut Pro nothing really beats it. its the ultimate mobile editing platform

[Dimas]

45 minutes ago, ALwin said:

I wasn't 100%  sure what you were trying to do, so I though maybe you were just trying to get the MacBooks connected to the network via wifi, or setup some type of network sharing or trying to add user accounts via a network (e.g. like what would be done in office environments where a central server provides user accounts to desktops connected on the network).

 

I'm not an expert on networking but I do know quite a bit about OSX, perhaps more so than most members on this forum.

Okay when you add a Mac to a domain hard-wired (Ethernet) you get this user account "other"  shown in the image below, but once I disconnect it from the Ethernet it does not show up because the WPA2 Enterprise account only works once I log in as administrator and it does not work when I'm on the login screen. I can't seem to figure out why it does not work. When I'm on the log in screen because without that wifi I can't connect to the domain and if I can't connect to the domain I can't access my account which resides in the domain. 

 

 

[ALwin]

3 minutes ago, Dimas said:

If you are talking about the one labeled "Guest User", go into OSX's Users & Groups (under System Preferences) and change the settings for Guest User.

[Dimas]

24 minutes ago, ALwin said:

If you are talking about the one labeled "Guest User", go into OSX's Users & Groups (under System Preferences) and change the settings for Guest User.

Sorry I this is what I meant. 

The other user only pops out once it's connected to the domain. But I can't connect to the domain because there's no wifi at the log in screen and I want to know how to fix it 

[ALwin]

This discussion might help you:

https://discussions.apple.com/thread/5713455?tstart=0

 

You need to add an 802.1X profile for the Wifi adapter.  Go to System Preferences, Network.  Select the Wi-Fi adapter on the left side column, click on the Advanced button.

https://discussions.apple.com/thread/3198156?tstart=0

 

Here is what I could find about "Other" user.

http://apple.stackexchange.com/questions/165041/what-is-other-account-on-os-x-yosemite-login-screen

[Dimas]

3 minutes ago, ALwin said:

This discussion might help you:

https://discussions.apple.com/thread/5713455?tstart=0

 

You need to add an 802.1X profile for the Wifi adapter.  Go to System Preferences, Network.  Select the Wi-Fi adapter on the left side column, click on the Advanced button.

https://discussions.apple.com/thread/3198156?tstart=0

Thank you this post actually looks promising! I'll keep you updated.

[ALwin]

5 minutes ago, Dimas said:

Thank you this post actually looks promising! I'll keep you updated.

I added a third item to my last comment.  Refresh the page.

 

And here is how to join network account server in OSX El Capitan.

https://support.apple.com/kb/PH21988?locale=en_US

 

And an article for enabling Root user

https://support.apple.com/en-us/HT204012

[leadeater]

3 hours ago, Dimas said:

Hey guys so let me say a few things right off the bat. I am a networking student at my high school and I have a class called "PC support" which is pretty much a help desk for the whole school (imaging computers, adding to the domain, printer repairs, and lots of other goodies). 

 

Okay so here is the problem I've encountered. Recently our film students have been given new MacBook pros completely maxed out retina displays and all (sorry if I'm geeking out I just love tech) anyways the network administrator for the school recently made accounts for them in active directory it's all fine and dandy. We added them into the domain and while we are connected via Ethernet (thunder bolt adapter) like we do with normal Windows laptops for the school and when I log out I get the "other" users which allows me to log into the domain with my own personal credentials so I'm thinking it works fine and all but unfortunately that's not the case. When we disconnect it from the Ethernet it looses the "other" user as it should. So we log in as administrator on the local account and set up our wifi which is WPA2 Enterprise. However the wifi will work as long as I'm logged in as administrator in the MacBook. As soon as I log out of the account boom! I loose the wifi and therefore I cannot log in to the domain because I do not get the "other" account. I want to know if anyone has found a work around to this networking issue. I don't know it's not authenticating the enterprise account pre-login but it's very frustrating since we have a deadline for the laptops. FYI( we have other non enterprise networks in our school but those laptops aren't supposed to be used with them, they are strictly reserved for other devices) we need this issue to be fixed because I don't know if it's 802.1x related or if macs are just generally stubborn with that. 

 

They are are bran new MacBook pros running El Capitan 

 

thank you! and if you need more info I'll get back as soon as possible!  

 

PS. All laptops we add to the domain(Windows) receive a certificate that as soon as they step on to school grounds they connect to the hidden WPA2 Enterprise network. 

You need to make a configuration profile and install them on the Macs. It will need to be a computer configuration with the 802.1x settings. Put in the SSID settings etc and tick the box for "Use Direcorty Authentication" or w/e it's called, don't have anything in front of me atm to check.

 

I've set this up for a few schools with hundreds of Mac clients, it works fine. Running Macs in a Windows network works well if you know how to do it and all the tweaks required.

[leadeater]

15 minutes ago, leadeater said:

You need to make a configuration profile and install them on the Macs. It will need to be a computer configuration with the 802.1x settings. Put in the SSID settings etc and tick the box for "Use Direcorty Authentication" or w/e it's called, don't have anything in front of me atm to check.

 

I've set this up for a few schools with hundreds of Mac clients, it works fine. Running Macs in a Windows network works well if you know how to do it and all the tweaks required.

@Dimas See screen shot below of Apple Configuration Manager. This is run from a Mac Server so if you don't have one you will have to download the stand alone Apple Configurator app. This should be enough info anyway to get you start and google the correct things.

 

[Dimas]

25 minutes ago, leadeater said:

@Dimas See screen shot below of Apple Configuration Manager. This is run from a Mac Server so if you don't have one you will have to download the stand alone Apple Configurator app. This should be enough info anyway to get you start and google the correct things.

 

Well this has been the most helpful thing I've seen on the web to date on this issue. Thank you so much and thank you to everyone that replied, I'll be posting updates as I start setting them up tomorrow in school. 

[ALwin]

Good to know, I might need it one of these days.

[Dimas]

On March 14, 2016 at 9:24 PM, ALwin said:

Good to know, I might need it one of these days.

The wifi profile I created using apple configuration seem to work once I logged in  but it just would not stay connected when I logged out of the machine. It's all alright though, we decided to bite the bullet and just make a separate local account for them with no privileges.  Thank you for your reply guys.

[leadeater]

2 hours ago, Dimas said:

The wifi profile I created using apple configuration seem to work once I logged in  but it just would not stay connected when I logged out of the machine. It's all alright though, we decided to bite the bullet and just make a separate local account for them with no privileges.  Thank you for your reply guys.

Apple Configurator only makes user Profiles by default. You'll have to manually edit the config file before applying it and change it to a computer profile.

 

Long term if your going to be managing Macs on a network and going to get more I'd recommend buying Mac OS X server, the cost is not that high and it's well worth it. Won't need anything fancy to run it on, the most basic Mac Mini will do the job.