Clearpass for Macs / AD Binding
Macs must be registered in ClearPass to authenticate to the wireless network. ClearPass policies trigger DHCP to assign Macs an IP address in the BSD-Secure-Known-Good range (172.20.0.0/19), enabling access to Active Directory.
Prerequisites:
-
IMPORTANT: Device must not already exist in AD. If it was previously linked in AD, the device must be deleted from AD in order to re-run the script. Otherwise, the script will fail because it already exists in AD. Also, this is mentioned down below but, name the device in a way that will be easy to identify in AD in case it needs to be deleted. Otherwise, you will not be able to locate the machine to delete in AD (eg. AD name is 'Mac Mini' or 'Macbook Air' vs 'WHS-2101010-DTA').
- Mac must already be enrolled in SimpleMDM, have the BSD-Secure cert profile and be connected to Secure.
- Log in to the sadmin account, open System Settings > Wi-Fi > click 'Details' next to BSD-Secure and make note of the Wi-Fi address.
- Connect the Mac to the network via Ethernet for AD Binding. Check that it is in the Data VLAN if necessary.
- Name the Mac before running the binding script. Go to SimpleMDM, go to the device's page and then: Info > Device Name (see screenshot). This way the device shows up in AD with the device name that you set instead of the device's serial number. This makes it quicker/easier to locate in AD.
Clearpass
Once you have the wireless MAC address:
- Log in to Aruba ClearPass using 1Pass credentials.
- On the left-hand side, navigate to: Configuration>Identity>Static Host Lists. Click on 'Mac-Computers'.
- This opens up a 'Edit Static Host List' pop up. Enter the wireless MAC Address of the Mac in the 'address' field. Make sure to separate the octets by dashes(-) not colons (:).
- Add a description in the description field to identify the device. I usually set the device's name in there (eg. WHS-2101010-DTA or WHS-LAB83-01-MM).
- Make sure to hit 'Save Host' BEFORE you hit 'Save'. If you hit 'Save' without clicking 'Save Host' first, the Mac address will not be added to the list.
AD Binding
As mentioned above, it is important to name the Mac so that the AD name is easily identifiable and can be traced back to that machine.
Now that the device name is set in SimpleMDM and on the Mac (double-check on the Mac. Check by going to the Apple Logo > System Settings > General > About), you are ready to run the AD Binding script in SimpleMDM.
If you have one device that needs to be on the network: you can go into the device's page in SimpleMDM, click 'Actions' on the right and then 'Run Script'. Choose the 'Binding Domain' script and then when you want to run it. The name for this job can be anything you want. It's not too important. Run the script.
You can also go to Scripts>Jobs>Create Job. You can add multiple devices if needed so that the script runs on multiple devices/groups at once.
It will wait at least one minute to run the script. Once the binding script has run on a Mac, they will show up in AD under: _Computers by Type-Location > MAC Computers.
If the device does not show up or there is an error with the script, check the error message. It is likely that the device already exists in AD.
Reboot the device and try to log in with your credentials. You should see an orange dot appear in the top right corner of the login page when logging in. This means it is in the process of authenticating you on the network. If the bind was successful, you will now be logged in to your profile. Check the device's list of users in SimpleMDM to verify.