Help

802.1x Support in Netboot Image

zskidmor
Contributor

Posted on ‎12-19-2013 03:28 PM

Hey all:
We have migrated to an 802.1x network environment in our institution. We have been encountering extremely slow performance in our Netbooted systems as the computers stay connected to our pre-authorization VLAN which has a very short DHCP leasetime (2 minutes, so the OS X netboot image is making a new request to the DHCP server about every minute). This seems to be drastically slowing down the imaging process. It gets stuck in the pre authorization network as there isn't a user authenticating to the network.

We created a set of user credentials in our Radius server and have configured it to connect to our Hardware VLAN which has a much longer lease time that is more condusive for imaging. I have verified these credentials work on Windows and OS X.

I created a configuration profile that has our certificates and user credentials pre populated in casper, downloaded it to a system that I was using to configure the netboot image on, and was able to get the system I was building to consistently connect to the correct VLAN.

I created a netboot image using composer, then Apple System Image Utility (10.9 is the OS version and using version 3 of the System Image utility and Composer 9.2)

everytime I boot a system with this image the EAPOLclient never initializes on its own to process the 802.1x authentication. As a result it doesn't connect to the Hardware VLAN and gets stuck in our Pre Authorization network.

Has anyone encountered this issue or have any suggestions. I do want to preface that we cannot increase the DHCP lease time of the pre authorization network as that causes other issues with other devices and that is a decision made by our network administration team that I have no control over.

0 Kudos
7 REPLIES 7

alexjdale
Valued Contributor III

Posted on ‎12-20-2013 10:55 AM

I don't do this with Netboot since we stopped using it, but our USB boot image has a configuration profile similar to what you mentioned (using a service account to authenticate) which I set up to install/reinstall as part of a startup script. That ensures 802.1x is active for whatever ethernet adapter is present at boot time. It's worked flawlessly so far.

0 Kudos

Chris_Hafner
Valued Contributor II

Posted on ‎12-23-2013 07:58 AM

Right now, trying to netboot on any type of 802.1x network is going to cause significant issues as the protocol (for Mac's anyways) doesn't support it in any way shape or form. Now, I'm not a network engineer and do NOT understand arp tables like the back of my hand so maybe you've got some clever work around. This seems to be what you're describing above (regarding a pre-auth network).

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎12-23-2013 09:10 AM

I think you'll find it's not supported, which is why it's problematic.

http://support.apple.com/kb/TS4591

0 Kudos

zskidmor
Contributor

Posted on ‎12-23-2013 09:15 AM

That support article is referring to the fact that the Mac Firmware doesn't support 802.1x authentication. That is not my problem, I can get the firmware to connect to pre auth and netboot does start. The issue is that once the netboot image itself is loaded, the eapolclient doesn't initialize. OS X itself supports 802.1x, I just haven't been able to get to work once it is a netboot image.

@alexjdale Thanks for the tip as a startup script, would you mind posting your script (obviously leaving out secure information :))

0 Kudos

fritz_schlapbac
Contributor

Posted on ‎12-23-2013 10:28 AM

I didn't try this with Netboot images yet. But we see a comparable problem with 802.1x when using an ethernet connection (OS X 10.8.5 and 10.9.1). The clients never connect using 802.1x after a reboot while the ethernet cable is plugged in. If I remove the ethernet cable and plug it back in after the user is logged in, the 802.1x connection is established as expected. As most of our users are using 802.1x with a Wi-Fi connection it's not a big deal for us.

Perhaps it would work too if a script disables and enables the Ethernet connection after the login. I never tested this as a possible workaround.

In the logfiles there is no error visible. It just looks like OS X never tries to connect 802.1x automatically.

0 Kudos

SachinParmar
New Contributor

Posted on ‎03-16-2015 05:23 PM

@zskidmor I have got this working within our environment a little bit of a weird set up before I have made the netboot image I put a PEAP Authenticated wired 802.1x mobile config file in /Users/Shared/ I set the root user to automatically login put a script in the startup item which installs a PEAP 802.1x wired connection using the sudo profiles -I -F .... command and open Casper Imaging after its done that!

Works every time!

0 Kudos

alexjdale
Valued Contributor III

Posted on ‎03-17-2015 10:12 AM

If you can build a configuration profile that has embedded credentials for a service account to perform the 802.1x authentication, you just need a startup script that installs it with the profiles command on boot. Reinstalling it basically resets it to use whatever Ethernet adapter you have plugged in at the time so it will work across any machine.

Just make sure you have the cert chain of trust pre-installed on your boot image. Again, I am only using this for a USB boot image, but I would imagine if you could get the Netboot image to load, this might work.

0 Kudos