[Micronet] First time domain logon (Mac) when computer through wireless.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] First time domain logon (Mac) when computer through wireless.

Luis Torres
Hello Micronet Users,


I'm curious to know if there is a way for first time domain logins to work through airbears or airbears2.  We effectively want to know if the computer can be put on the wireless (even if credentials are needed) before the user can log in - we have a couple of macs that don't have ethernet adapters (new Macs) and want to know if being "on the wire" is the only way to get a new domain user's credentials cached into the Mac.


Thanks,
--
-----
Luis Torres
System Administrator
Department of Statistics, UC Berkeley.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] First time domain logon (Mac) when computer through wireless.

Graham Patterson

It is not just a Mac problem - Windows has the same issue. Since most
wireless connections require credentials, and those are provided by the
login account post authentication, you have to have a valid login before
you can get wireless.

Wired connections come up during the system boot, and are in place
before the user logs in, hence domain credentials can be authenticated.

I presume this is an EEI image? If so, you probably cannot login as as
user with wireless access, and then switch back to the Login Window and
try Other using the existing wireless connection. I think that is
disabled by design. The EEI images are (mostly) documented in CalShare.

The simplest solution is to to an in-person handover of the machine, and
use a dongle and wire for the job. The dongle does not have to be
assigned to the machine - it just has to be authorized on the network.
After that, the login is cached on the machine.

Graham


On 7/20/15 12:54 PM, Luis Torres wrote:

> Hello Micronet Users,
>
>
> I'm curious to know if there is a way for first time domain logins to
> work through airbears or airbears2.  We effectively want to know if the
> computer can be put on the wireless (even if credentials are needed)
> before the user can log in - we have a couple of macs that don't have
> ethernet adapters (new Macs) and want to know if being "on the wire" is
> the only way to get a new domain user's credentials cached into the Mac.
>
>
> Thanks,
> --
> -----
> Luis Torres
> System Administrator
> Department of Statistics, UC Berkeley.
>
>
>  
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
>


--
Graham Patterson, Systems Administrator
Rm 111, Lawrence Hall of Science, UC Berkeley   510-643-1984
"...past the iguana, the tyrannosaurus, the mastodon, the mathematical
puzzles, and the meteorite..." - used to be the directions to my office.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] First time domain logon (Mac) when computer through wireless.

Alex Kim
As Graham was saying, if you can get an Ethernet adapter to use for
the purpose of first logins, then it may be the simplest and quickest
solution.

However, if that is not possible, especially on the latest MacBook
models, then there are two methods that one can still use to allow an
initial login without any network connection or AirBears. They are
both now documented in the EEI CalShare site (direct link below). It
should be noted that they both require the end-user to enter his/her
CalNet Passphrase during the process, so the end-user’s presence is
still required. Hopefully that is the implied case though.

The first recommended method has an admin pre-create the CalNet
account and cache the end-users AD credentials on the Mac. Then the
end-user can perform an initial log in to the Mac without any network
connection. It’s essentially running one command in Terminal.

The second method uses AirBears to log in to the Mac. It’s arguably
not as recommended, especially with AirBears being discontinued on
August 14, but it works.

Please see the full details and instructions on the EEI CalShare page
(CalNet auth required):

https://calshare.berkeley.edu/sites/eei/osx/SitePages/PrecreateADaccount.aspx

Also, just in case there was any confusion, the EEI Windows and Mac
images do not disable user switching. They are also not configured to
disable a wireless connection upon logging out or switching users. I
believe this is a built-in operation in Windows and Mac OS X, so one
would see the same behavior in any default Windows or Mac OS X
installation.

Hope this information helps!

Thanks,

Alex

On Tue, Jul 21, 2015 at 11:01 AM, Graham Patterson <[hidden email]> wrote:

>
> It is not just a Mac problem - Windows has the same issue. Since most
> wireless connections require credentials, and those are provided by the
> login account post authentication, you have to have a valid login before
> you can get wireless.
>
> Wired connections come up during the system boot, and are in place
> before the user logs in, hence domain credentials can be authenticated.
>
> I presume this is an EEI image? If so, you probably cannot login as as
> user with wireless access, and then switch back to the Login Window and
> try Other using the existing wireless connection. I think that is
> disabled by design. The EEI images are (mostly) documented in CalShare.
>
> The simplest solution is to to an in-person handover of the machine, and
> use a dongle and wire for the job. The dongle does not have to be
> assigned to the machine - it just has to be authorized on the network.
> After that, the login is cached on the machine.
>
> Graham
>
>
> On 7/20/15 12:54 PM, Luis Torres wrote:
>> Hello Micronet Users,
>>
>>
>> I'm curious to know if there is a way for first time domain logins to
>> work through airbears or airbears2.  We effectively want to know if the
>> computer can be put on the wireless (even if credentials are needed)
>> before the user can log in - we have a couple of macs that don't have
>> ethernet adapters (new Macs) and want to know if being "on the wire" is
>> the only way to get a new domain user's credentials cached into the Mac.
>>
>>
>> Thanks,
>> --
>> -----
>> Luis Torres
>> System Administrator
>> Department of Statistics, UC Berkeley.
>>
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>>
>> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
>>
>
>
> --
> Graham Patterson, Systems Administrator
> Rm 111, Lawrence Hall of Science, UC Berkeley   510-643-1984
> "...past the iguana, the tyrannosaurus, the mastodon, the mathematical
> puzzles, and the meteorite..." - used to be the directions to my office.
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.



--
Alex Kim
Endpoint Engineering and Infrastructure | IT
University of California, Berkeley
[hidden email]

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] First time domain logon (Mac) when computer through wireless.

Ryan Lovett-2
Apparently there is a way of making this work using a mobile profile though it requires embedding WPA2 credentials.



Ryan

On Tue, Jul 21, 2015 at 4:59 PM, Alex Kim <[hidden email]> wrote:
As Graham was saying, if you can get an Ethernet adapter to use for
the purpose of first logins, then it may be the simplest and quickest
solution.

However, if that is not possible, especially on the latest MacBook
models, then there are two methods that one can still use to allow an
initial login without any network connection or AirBears. They are
both now documented in the EEI CalShare site (direct link below). It
should be noted that they both require the end-user to enter his/her
CalNet Passphrase during the process, so the end-user’s presence is
still required. Hopefully that is the implied case though.

The first recommended method has an admin pre-create the CalNet
account and cache the end-users AD credentials on the Mac. Then the
end-user can perform an initial log in to the Mac without any network
connection. It’s essentially running one command in Terminal.

The second method uses AirBears to log in to the Mac. It’s arguably
not as recommended, especially with AirBears being discontinued on
August 14, but it works.

Please see the full details and instructions on the EEI CalShare page
(CalNet auth required):

https://calshare.berkeley.edu/sites/eei/osx/SitePages/PrecreateADaccount.aspx

Also, just in case there was any confusion, the EEI Windows and Mac
images do not disable user switching. They are also not configured to
disable a wireless connection upon logging out or switching users. I
believe this is a built-in operation in Windows and Mac OS X, so one
would see the same behavior in any default Windows or Mac OS X
installation.

Hope this information helps!

Thanks,

Alex

On Tue, Jul 21, 2015 at 11:01 AM, Graham Patterson <[hidden email]> wrote:
>
> It is not just a Mac problem - Windows has the same issue. Since most
> wireless connections require credentials, and those are provided by the
> login account post authentication, you have to have a valid login before
> you can get wireless.
>
> Wired connections come up during the system boot, and are in place
> before the user logs in, hence domain credentials can be authenticated.
>
> I presume this is an EEI image? If so, you probably cannot login as as
> user with wireless access, and then switch back to the Login Window and
> try Other using the existing wireless connection. I think that is
> disabled by design. The EEI images are (mostly) documented in CalShare.
>
> The simplest solution is to to an in-person handover of the machine, and
> use a dongle and wire for the job. The dongle does not have to be
> assigned to the machine - it just has to be authorized on the network.
> After that, the login is cached on the machine.
>
> Graham
>
>
> On 7/20/15 12:54 PM, Luis Torres wrote:
>> Hello Micronet Users,
>>
>>
>> I'm curious to know if there is a way for first time domain logins to
>> work through airbears or airbears2.  We effectively want to know if the
>> computer can be put on the wireless (even if credentials are needed)
>> before the user can log in - we have a couple of macs that don't have
>> ethernet adapters (new Macs) and want to know if being "on the wire" is
>> the only way to get a new domain user's credentials cached into the Mac.
>>
>>
>> Thanks,
>> --
>> -----
>> Luis Torres
>> System Administrator
>> Department of Statistics, UC Berkeley.
>>
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>>
>> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
>>
>
>
> --
> Graham Patterson, Systems Administrator
> Rm 111, Lawrence Hall of Science, UC Berkeley   <a href="tel:510-643-1984" value="+15106431984">510-643-1984
> "...past the iguana, the tyrannosaurus, the mastodon, the mathematical
> puzzles, and the meteorite..." - used to be the directions to my office.
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>
> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.



--
Alex Kim
Endpoint Engineering and Infrastructure | IT
University of California, Berkeley
[hidden email]


-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] First time domain logon (Mac) when computer through wireless.

Graham Patterson
In reply to this post by Graham Patterson

Not having an EEI imaged Mac handy to play with, I was wondering if an
existent WiFi connection would carry over to a user-switch and fresh
login or not. If it does, that simplifies things a little.

What we have is a sort of 'chain of custody' model where in the absence
of a valid wire connection, you cannot (readily) create a new account
without the assistance of an existing account holder.

Graham

On 7/21/15 4:54 PM, Alex Kim wrote:

> As Graham was saying, if you can get an Ethernet adapter to use for
> the purpose of first logins, then it may be the simplest and quickest
> solution.
>
> However, if that is not possible, especially on the latest MacBook
> models, then there are two methods that one can still use to allow an
> initial login without any network connection or AirBears. They are
> both now documented in the EEI CalShare site (direct link below). It
> should be noted that they both require the end-user to enter his/her
> CalNet Passphrase during the process, so the end-user’s presence is
> still required. Hopefully that is the implied case though.
>
> The first recommended method has an admin pre-create the CalNet
> account and cache the end-users AD credentials on the Mac. Then the
> end-user can perform an initial log in to the Mac without any network
> connection. It’s essentially running one command in Terminal.
>
> The second method uses AirBears to log in to the Mac. It’s arguably
> not as recommended, especially with AirBears being discontinued on
> August 14, but it works.
>
> Please see the full details and instructions on the EEI CalShare page
> (CalNet auth required):
>
> https://calshare.berkeley.edu/sites/eei/osx/SitePages/PrecreateADaccount.aspx
>
> Also, just in case there was any confusion, the EEI Windows and Mac
> images do not disable user switching. They are also not configured to
> disable a wireless connection upon logging out or switching users. I
> believe this is a built-in operation in Windows and Mac OS X, so one
> would see the same behavior in any default Windows or Mac OS X
> installation.
>
> Hope this information helps!
>
> Thanks,
>
> Alex
>
> On Tue, Jul 21, 2015 at 11:01 AM, Graham Patterson <[hidden email]> wrote:
>>
>> It is not just a Mac problem - Windows has the same issue. Since most
>> wireless connections require credentials, and those are provided by the
>> login account post authentication, you have to have a valid login before
>> you can get wireless.
>>
>> Wired connections come up during the system boot, and are in place
>> before the user logs in, hence domain credentials can be authenticated.
>>
>> I presume this is an EEI image? If so, you probably cannot login as as
>> user with wireless access, and then switch back to the Login Window and
>> try Other using the existing wireless connection. I think that is
>> disabled by design. The EEI images are (mostly) documented in CalShare.
>>
>> The simplest solution is to to an in-person handover of the machine, and
>> use a dongle and wire for the job. The dongle does not have to be
>> assigned to the machine - it just has to be authorized on the network.
>> After that, the login is cached on the machine.
>>
>> Graham
>>
>>
>> On 7/20/15 12:54 PM, Luis Torres wrote:
>>> Hello Micronet Users,
>>>
>>>
>>> I'm curious to know if there is a way for first time domain logins to
>>> work through airbears or airbears2.  We effectively want to know if the
>>> computer can be put on the wireless (even if credentials are needed)
>>> before the user can log in - we have a couple of macs that don't have
>>> ethernet adapters (new Macs) and want to know if being "on the wire" is
>>> the only way to get a new domain user's credentials cached into the Mac.
>>>
>>>
>>> Thanks,
>>> --
>>> -----
>>> Luis Torres
>>> System Administrator
>>> Department of Statistics, UC Berkeley.
>>>
>>>
>>>
>>> -------------------------------------------------------------------------
>>> The following was automatically added to this message by the list server:
>>>
>>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>>
>>> http://micronet.berkeley.edu
>>>
>>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>>>
>>> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
>>>
>>
>>
>> --
>> Graham Patterson, Systems Administrator
>> Rm 111, Lawrence Hall of Science, UC Berkeley   510-643-1984
>> "...past the iguana, the tyrannosaurus, the mastodon, the mathematical
>> puzzles, and the meteorite..." - used to be the directions to my office.
>>
>>
>> -------------------------------------------------------------------------
>> The following was automatically added to this message by the list server:
>>
>> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>>
>> http://micronet.berkeley.edu
>>
>> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
>>
>> ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.
>
>
>


--
Graham Patterson, Systems Administrator
Rm 111, Lawrence Hall of Science, UC Berkeley   510-643-1984
"...past the iguana, the tyrannosaurus, the mastodon, the mathematical
puzzles, and the meteorite..." - used to be the directions to my office.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

ANNOUNCEMENTS: To send announcements to the Micronet list, please use the [hidden email] list.