- Jamf Nation Community
- Products
- Jamf Pro
- 802.1x system profiles
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
802.1x system profiles
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-16-2009 01:09 PM
Is anyone working with 802.1x authentication in your environments? If
so how are you handling deployment?
Also I was working on automating this via a script or program and ran
into some issues with the new CLI options in 10.6
What I'm having trouble with is that you are supposed to be able to
export a system profile to a file to distribute and import onto client
machines.
When I do this the export: networksetup -export8021xSystemProfile
AirPort "path/to/example.networkconnect" yes
Works just fine.
Upon import: networksetup -import8021xProfiles AirPort
"path/to/example.networkconnect"
That seems to work fine as well.
However if I try to enable using: networksetup -enablesystemprofile
AirPort on
It tells me that there is no system profile.
I planned on eventually wrapping this up into a script and making a
package to deploy the profile and trust certs etc... but if I can't get
it to work in the command line there's no point in moving further.
I'm sure I'm missing something easy, but I couldn't find anything useful
via google except an afp548 article that outlines what I'm trying to do
but doesn't give any details. I figured someone has to be dealing with
this in a large environment.
Thanks for any input folks!
Dustin Dorey
Technology Support Cluster Specialist
Independent School District 196
Rosemount-Apple Valley-Eagan Public Schools
dustin.dorey at district196.org
651|423|7971
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-17-2009 03:47 PM
I am working on scripting this out to 10.5 machines as well. Just an FYI I
have burned one of our 10 support issues with Apple Engineering with an
issue I found during 10.6 802.1x testing.
This and Xerox print drivers are the only thing that is keeping me from
deploying 10.6.
If you have the unit set to a Login window profile and it is on a wireless
network and you expire someones password in AD they will not be able to
reset it or login. This has been confirmed and two additional 802.1x bugs
were found by the Apple Engineer that was working on our issue.
In 10.5.7 and 10.5.8 the user will be able to change their password and
login to the box. In 10.6.x the wifi connection is dropped and the user is
unable to login.
Just an FYI. Be careful.
p.s. In stead of exporting out and importing a config I was just going to
have the script create the 802.1x setup on each box. Push it out via casper
policy for startup.
Ryan M. Manly
Mac OS X Expert
Glenbrook High Schools
1835 Landwehr Rd.
Glenview, IL 60026
(847) 486-4948
On Wed, Dec 16, 2009 at 3:09 PM, Dorey, Dustin <Dustin.Dorey at district196.org > wrote:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2009 06:16 AM
Hey thank you very much for the information, I hadn't yet looked into
trying to automate the 10.5 machines seriously. I wanted to try and go
through it on the 10.6 machines since they had added the CLI utilities
thinking it would be a good learning ground.
The plan here was to avoid using a standard login profile and having the
user's authenticate for a user profile on their own. Since it was to be
deployed on District owned hardware we were just planning on using
system profiles. Though I do like the added security of the
login/user profile I was trying to avoid user interaction as much as
possible.
The password expiration issue is very interesting to know about as I'm
sure we will still run into that at some point so thank you VERY much
for sharing that!
Our apple SE got back to me yesterday afternoon and mentioned setting
the TLS identity as a step I might have missed, however we are only
using PEAP authentication at the moment. Which leads me to think that I
might have to have a conversation about our overall setup with our Net
Tech so that I can further understand the choices in authentication
method here. And look into making a pkcs12 file to try the TLS method.
It would be nice if there were some documentation from apple for how to
actually use the networksetup additions for 802.1x in 10.6. Or maybe
there are and I just haven't found them!
In any case, thanks again for your feedback and information on the
subject. It seems that there are several people interested in how to
get this working so I'm thinking many on the list will be thankful for
any info.
-Dusty-
Dustin Dorey
Technology Support Cluster Specialist
Independent School District 196
Rosemount-Apple Valley-Eagan Public Schools
dustin.dorey at district196.org
651|423|7971
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2009 06:43 AM
Hey thank you very much for the information, I hadn't yet looked into
trying to automate the 10.5 machines seriously. I wanted to try and go
through it on the 10.6 machines since they had added the CLI utilities
thinking it would be a good learning ground.
The plan here was to avoid using a standard login profile and having the
user's authenticate for a user profile on their own. Since it was to be
deployed on District owned hardware we were just planning on using
system profiles. Though I do like the added security of the
login/user profile I was trying to avoid user interaction as much as
possible.
The password expiration issue is very interesting to know about as I'm
sure we will still run into that at some point so thank you VERY much
for sharing that!
Our apple SE got back to me yesterday afternoon and mentioned setting
the TLS identity as a step I might have missed, however we are only
using PEAP authentication at the moment. Which leads me to think that I
might have to have a conversation about our overall setup with our Net
Tech so that I can further understand the choices in authentication
method here. And look into making a pkcs12 file to try the TLS method.
It would be nice if there were some documentation from apple for how to
actually use the networksetup additions for 802.1x in 10.6. Or maybe
there are and I just haven't found them!
In any case, thanks again for your feedback and information on the
subject. It seems that there are several people interested in how to
get this working so I'm thinking many on the list will be thankful for
any info.
-Dusty-
I am working on scripting this out to 10.5 machines as well. Just an FYI
I have burned one of our 10 support issues with Apple Engineering with
an issue I found during 10.6 802.1x testing.
This and Xerox print drivers are the only thing that is keeping me from
deploying 10.6.
If you have the unit set to a Login window profile and it is on a
wireless network and you expire someones password in AD they will not be
able to reset it or login. This has been confirmed and two additional
802.1x bugs were found by the Apple Engineer that was working on our
issue.
In 10.5.7 and 10.5.8 the user will be able to change their password and
login to the box. In 10.6.x the wifi connection is dropped and the user
is unable to login.
Just an FYI. Be careful.
p.s. In stead of exporting out and importing a config I was just going
to have the script create the 802.1x setup on each box. Push it out via
casper policy for startup.
I haven't setup a 10.6 box yet but is the machine level authentication
system now, real machine level or still the fake machine level via user
level that Apple gave us in 10.5? I was surprised that only TLS offers
true machine level authentication and every other protocol fakes this by
using a user account still.
- JD
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-18-2009 06:55 AM
Hi everyone,
This is something I set up for my district to enable clients to
authenticate to machines using their ad credentials. We use peap, ttls
and md5 for authentication though this may be too much encryption than you
need. We use wpa2 enterprise for our security type and a root ca to doll
out the cert. Apple mentioned that the certificate must be in pem format
when it copies to the machine or it won't work. Note that I've changed
some variables so you can use your own ssid and cert. I hope this helps
everyone.
#!/bin/sh
# Get some Unique Identifiers to use in the plists...
wifi=yourwifissid
uuid=uuidgen
netuuid=uuidgen
setuuid=`cat /Library/Preferences/SystemConfiguration/preferences.plist |
grep /Sets/ | cut -c 16-51`
# Define the plist files for easier reference...
EAPLoginWindow=/Library/Preferences/SystemConfiguration/preferences.plist
# Configuring the Login Window settings...
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:Airport dict" $EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:Airport:JoinMode string Automatic"
$EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:Airport:JoinModeFallback array"
$EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:Airport:JoinModeFallback:0 string
Prompt" $EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:Airport:PowerEnabled bool Yes"
$EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:Airport:PreferredNetworks array"
$EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:Airport:PreferredNetworks:0 dict"
$EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:Airport:PreferredNetworks:0:SSID_STR
string $wifi" $EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:Airport:PreferredNetworks:0:SecurityType
string WPA2 Enterprise" $EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:Airport:PreferredNetworks:0:Unique
Network ID string $netuuid" $EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:Airport:RememberRecentNetworks bool
Yes" $EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:EAPOL.LoginWindow dict"
$EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:EAPOL.LoginWindow:$uuid dict"
$EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:EAPOL.LoginWindow:$uuid:EAPClientConfiguration
dict" $EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:EAPOL.LoginWindow:$uuid:EAPClientConfiguration:AcceptEAPTypes
array" $EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:EAPOL.LoginWindow:$uuid:EAPClientConfiguration:AcceptEAPTypes:0
integer 4" $EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:EAPOL.LoginWindow:$uuid:EAPClientConfiguration:AcceptEAPTypes:0
integer 25" $EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:EAPOL.LoginWindow:$uuid:EAPClientConfiguration:AcceptEAPTypes:0
integer 21" $EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:EAPOL.LoginWindow:$uuid:UniqueIdentifier
string $uuid" $EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:EAPOL.LoginWindow:$uuid:UserDefinedName
string $wifi" $EAPLoginWindow
/usr/libexec/PlistBuddy -c "Add
:Sets:$setuuid:Network:Interface:en1:EAPOL.LoginWindow:$uuid:Wireless
Network string $wifi" $EAPLoginWindow
# Add certificate to trusted list
security add-trusted-cert -d -r trustRoot -p eap -k
"/Library/Keychains/System.keychain" "/private/var/tmp/certificate.pem"
exit 0
John McLaughlin
Technical Support Specialist
Newton Public Schools
