Skip to main content
Solved

Extension Attribute Help - Looking to pull Authenticated via information from a specific SSID

  • October 27, 2022
  • 3 replies
  • 34 views
TheITGuy69
Forum|alt.badge.img+7

HI All,

 Searched all over and couldn't find this.

 

Looking to create an extension attribute that pulls the authenticated via for a specific ssid.

 

The use case is, we currently allow users to connect to the corporate wifi with username and password , but it gives them a limited network connect , they cannot connect to all services. 

that shows up as Authenticated via EAP-PEAP (MSCHAPv2)

we just implemented 802.1x scep cert authentication.

That shows up as Authenticated via EAP-TLS

WE plan on deploying the new configuration profile for the 802.1x but want to make sure users are connecting with the new profile and not the old one

 

Best answer by daniel_behan

If your Configuration Profile is set for System instead of User, then the new profile will put the SSID into the system keychain.  If your users are manually joining the WiFi, their entries for the SSID are most likely in their login.keychain.  I have an Extension Attribute that looks to see if someone manually joined the Corporate WiFi instead of joining via the System Configuration Profile.  Replace <SSID> with the name of your Corporate WiFi.

#!/bin/bash loggedInUser=$(stat -f%Su /dev/console) loggedInUID=$(id -u "$loggedInUser") ssidcheck=$(security find-generic-password -l <SSID> /Users/$loggedInUser/Library/Keychains/login.keychain-db | grep svce | cut -d '"' -f4) if [ "$ssidcheck" = "com.apple.network.eap.user.item.wlan.ssid.<SSID>" ]; then result="SSIDPresent" else result="SSIDNotPresent" fi echo "<result>$result</result>"

 

    3 replies

    TheITGuy69
    Forum|alt.badge.img+7
    • TheITGuy69
    • Author
    • Contributor
    • 43 replies
    • October 27, 2022

    After the profile is pushed, user gets requested to select the cert on a network change or reboot. 

    Then it shows up EAP-TLS under Authenticated via.

     

    Users that don't have it already set up connected via username and password don't get prompted for cert. 

    Can't delete that profile ahead of time since it might be their only connection. 

    -minor disruption.

    D
    Forum|alt.badge.img+11
    • daniel_behan
    • Valued Contributor
    • 201 replies
    • Answer
    • October 31, 2022

    If your Configuration Profile is set for System instead of User, then the new profile will put the SSID into the system keychain.  If your users are manually joining the WiFi, their entries for the SSID are most likely in their login.keychain.  I have an Extension Attribute that looks to see if someone manually joined the Corporate WiFi instead of joining via the System Configuration Profile.  Replace <SSID> with the name of your Corporate WiFi.

    #!/bin/bash loggedInUser=$(stat -f%Su /dev/console) loggedInUID=$(id -u "$loggedInUser") ssidcheck=$(security find-generic-password -l <SSID> /Users/$loggedInUser/Library/Keychains/login.keychain-db | grep svce | cut -d '"' -f4) if [ "$ssidcheck" = "com.apple.network.eap.user.item.wlan.ssid.<SSID>" ]; then result="SSIDPresent" else result="SSIDNotPresent" fi echo "<result>$result</result>"

     

    TheITGuy69
    Forum|alt.badge.img+7
    • TheITGuy69
    • Author
    • Contributor
    • 43 replies
    • October 31, 2022

    If your Configuration Profile is set for System instead of User, then the new profile will put the SSID into the system keychain.  If your users are manually joining the WiFi, their entries for the SSID are most likely in their login.keychain.  I have an Extension Attribute that looks to see if someone manually joined the Corporate WiFi instead of joining via the System Configuration Profile.  Replace <SSID> with the name of your Corporate WiFi.

    #!/bin/bash loggedInUser=$(stat -f%Su /dev/console) loggedInUID=$(id -u "$loggedInUser") ssidcheck=$(security find-generic-password -l <SSID> /Users/$loggedInUser/Library/Keychains/login.keychain-db | grep svce | cut -d '"' -f4) if [ "$ssidcheck" = "com.apple.network.eap.user.item.wlan.ssid.<SSID>" ]; then result="SSIDPresent" else result="SSIDNotPresent" fi echo "<result>$result</result>"

     


    Thanks!

    I had to change the 1st 2 lines to this for it to work for me. A better way to do it , i'm being told. 

     

    loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

     


    Terms & ConditionsCookie settingsAccessibility statement