Skip to main content

HI All,

 Searched all over and couldn't find this.

 

Looking to create an extension attribute that pulls the authenticated via for a specific ssid.

 

The use case is, we currently allow users to connect to the corporate wifi with username and password , but it gives them a limited network connect , they cannot connect to all services. 

that shows up as Authenticated via EAP-PEAP (MSCHAPv2)

we just implemented 802.1x scep cert authentication.

That shows up as Authenticated via EAP-TLS

WE plan on deploying the new configuration profile for the 802.1x but want to make sure users are connecting with the new profile and not the old one

 

After the profile is pushed, user gets requested to select the cert on a network change or reboot. 

Then it shows up EAP-TLS under Authenticated via.

 

Users that don't have it already set up connected via username and password don't get prompted for cert. 

Can't delete that profile ahead of time since it might be their only connection. 

-minor disruption.

If your Configuration Profile is set for System instead of User, then the new profile will put the SSID into the system keychain.  If your users are manually joining the WiFi, their entries for the SSID are most likely in their login.keychain.  I have an Extension Attribute that looks to see if someone manually joined the Corporate WiFi instead of joining via the System Configuration Profile.  Replace <SSID> with the name of your Corporate WiFi.

#!/bin/bash

loggedInUser=$(stat -f%Su /dev/console)
loggedInUID=$(id -u "$loggedInUser")

ssidcheck=$(security find-generic-password -l <SSID> /Users/$loggedInUser/Library/Keychains/login.keychain-db | grep svce | cut -d '"' -f4)
if [ "$ssidcheck" = "com.apple.network.eap.user.item.wlan.ssid.<SSID>" ]; then
result="SSIDPresent"
else
result="SSIDNotPresent"
fi

echo "<result>$result</result>"

 

If your Configuration Profile is set for System instead of User, then the new profile will put the SSID into the system keychain.  If your users are manually joining the WiFi, their entries for the SSID are most likely in their login.keychain.  I have an Extension Attribute that looks to see if someone manually joined the Corporate WiFi instead of joining via the System Configuration Profile.  Replace <SSID> with the name of your Corporate WiFi.

#!/bin/bash

loggedInUser=$(stat -f%Su /dev/console)
loggedInUID=$(id -u "$loggedInUser")

ssidcheck=$(security find-generic-password -l <SSID> /Users/$loggedInUser/Library/Keychains/login.keychain-db | grep svce | cut -d '"' -f4)
if [ "$ssidcheck" = "com.apple.network.eap.user.item.wlan.ssid.<SSID>" ]; then
result="SSIDPresent"
else
result="SSIDNotPresent"
fi

echo "<result>$result</result>"

 


Thanks!

I had to change the 1st 2 lines to this for it to work for me. A better way to do it , i'm being told. 

 

loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name 😕 && ! /loginwindow/ { print $3 }' )

 

Terms & ConditionsCookie settings