Hello folks,
Some may remember a while ago I was asking about automating the
deployment of 802.1x system profiles using the new CLI tools in 10.6.
Well our local Apple SE was kind enough to come out and spend the
morning with me here and help figure out what I was missing.
First I should mention what our set up is and how this process may
differ in your environment.
* ISA Server
* 802.1x PEAP protocol ONLY
* WPA2 Enterprise Encryption
* We are planning on using a generic Username/Password on all
district owned hardware to authenticate in this process eliminating a
couple possible steps in this process that could be scripted out but
would make it more involved.
* We are using a System Profile so that Active Directory Users
can log in initially via wireless
The process we went through here;
* Obtain your Trust Certificate and place it on a box to set up
initially
* Set up a machine as you normally would by hand, creating the
system profile. In our case our generic authentication is used, the
wireless network is selected, the trust is configured.
* After that we export the profile. (close out of the advanced
settings by clicking ok. Click on the cog below your list of services
and choose "export configurations")
* Save your profile wherever you'd like, in our case we need to
uncheck User profiles options and check the system profiles options
(included the items for system keychain)
* This exports a ".networkConnect" file that is your profile.
* We package the Certificate and .networkConnect file for
delivery via casper policy or at image
* Then via command line, script, Advacned>Run Command in a
policy, however you decide there are two commands
### import the System Profile
networksetup -import8021xProfiles Airport
/your_path/to_profile/AirPort.networkConnect
### configure Trust Certificate
/usr/bin/security add-trusted-cert -d -r trustAsRoot -p eap -k
/Library/Keychains/System.keychain /your_path/to_Your/cert.cer
One thing to mention, the security command is throwing an error for me
and I haven't looked into figuring it out or surpassing it since the
process is working for me. I just wanted to share ASAP as I know a few
others had expressed interest in following my progress. I'll post more
detailed info when I have some more time. BTW I'm still learning
about 802.1x so please feel free to point out any inaccuracy in my
explanation. I'm also going to test here some more but so far so good.
I'd prefer to not be using a generic account for authentication and to
not use a system profile but that is what where working with right now.
Sooo, it's a start.
I know some on the listserv are familiar with Pete so thanks is due to
Pete Markham our Apple SE for coming out and helping me figure this out,
I was making it WAY more complicated than it needed to be for our
environment!
Dustin Dorey
Technology Support Cluster Specialist
Independent School District 196
Rosemount-Apple Valley-Eagan Public Schools
dustin.dorey at district196.org
651|423|7971
