802.1x wired authentication in MAC

kiddling
New Contributor

We are doing 802.1x in our network .windows its working fine but MAC its not working while trying to login ...so i suppose the machine authentication isnt happening so i tried to make system profile from the user profile that i made through IPCU with network and certificate as payloads in the same profile...i cant understand where i am going wrong .Kindly help me out as soon as possible...below am pasting my profile config

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>PayloadContent</key> <array> <dict> <key>AutoJoin</key> <true/> <key>EAPClientConfiguration</key> <dict> <key>AcceptEAPTypes</key> <array> <integer>21</integer> <integer>25</integer> </array> <key>EAPFASTProvisionPAC</key> <false/> <key>EAPFASTProvisionPACAnonymously</key> <false/> <key>EAPFASTUsePAC</key> <false/> <key>PayloadCertificateAnchorUUID</key> <array> <string>1CBE9C47-E5A5-4BAF-B09C-BFC107C4ADBF</string> </array> <key>TTLSInnerAuthentication</key> <string>MSCHAPv2</string> </dict> <key>EncryptionType</key> <string>WPA</string> <key>HIDDEN_NETWORK</key> <false/> <key>PayloadDescription</key> <string>Configures wireless connectivity settings.</string> <key>PayloadDisplayName</key> <string>Wi-Fi (Dot1x)</string> <key>PayloadIdentifier</key> <string>com.qma.profile.wifi</string> <key>PayloadOrganization</key> <string>qatar musuem authority</string> <key>PayloadType</key> <string>com.apple.wifi.managed</string> <key>PayloadUUID</key> <string>1A6C83F9-7990-414C-BA75-5F16975AECA1</string> <key>PayloadVersion</key> <integer>1</integer> <key>ProxyType</key> <string>None</string> <key>SetupModes</key> <array> <string>System</string> </array>

<key>SSID_STR</key> <string>Dot1x</string> </dict> <dict> <key>PayloadCertificateFileName</key> <string>juniperuac-pri.qma.com.qa.crt</string> <key>PayloadContent</key> <data> LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNhRENDQWRF Q0NGS2Zyako2RVdMRU1BMEdDU3FHU0liM0RRRUJCUVVBTUhreEN6 QUpCZ05WQkFZVEFqOC8KTVFzd0NRWURWUVFJRXdJL1B6RUxNQWtH QTFVRUJ4TUNQejh4RERBS0JnTlZCQW9UQTFGTlFURUxNQWtHQTFV RQpDeE1DUHo4eElqQWdCZ05WQkFNVEdXcDFibWx3WlhKMVlXTXRj SEpwTG5GdFlTNWpiMjB1Y1dFeEVUQVBCZ2txCmhraUc5dzBCQ1FF V0FqOC9NQjRYRFRFME1EVXhNekV6TVRFMU5Wb1hEVEU1TVRFd016 RXpNVEUxTlZvd2VURUwKTUFrR0ExVUVCaE1DUHo4eEN6QUpCZ05W QkFnVEFqOC9NUXN3Q1FZRFZRUUhFd0kvUHpFTU1Bb0dBMVVFQ2hN RApVVTFCTVFzd0NRWURWUVFMRXdJL1B6RWlNQ0FHQTFVRUF4TVph blZ1YVhCbGNuVmhZeTF3Y21rdWNXMWhMbU52CmJTNXhZVEVSTUE4 R0NTcUdTSWIzRFFFSkFSWUNQejh3Z1o4d0RRWUpLb1pJaHZjTkFR RUJCUUFEZ1kwQU1JR0oKQW9HQkFNU3**9HSFRZTmZYVmtEYmlz NWFTODYvVVNJNHNtR1pueUlhL0ZYbHVqUFZ2cVJQOU9hT3ZOUGZa WApVQ0dYalZLcTZuM0FWZnlHYmVLTDA3eFlsbkJFR1BtM0F0MUps S2VLNlN5Q1lvMXRJTk4wT2ltc0dTNS9PTmx5Ck9mWk9sSUVkMk9w WGJ2NGdUeVlFVGNQYWxnekR2V2lrUzc0YkNtc1U1cnp6c2FPSEFn TUJBQUV3RFFZSktvWkkKaHZjTkFRRUZCUUFEZ1lFQW5JcHVCUlJs aE1Bek9jRG1KVmFPMlZPTi9nbnpmSG1wWXdiNk1VQ0dVT1o3QVpi SgpCRmFONTJpSmV5V2tnVzl4blNrNkZJRHZjUWJURkVvalV4azRv LzFjak9LeFFzNExUVWtleS9IZTg2VndLcTZTCmV2MnV4UE9yRVpH ajBZMzMwOENQM2dIRy9XM3FTQW9nN2VBUHluNnhMUnhFQUl2Y1FF K3BZSVV4NXRzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== </data> <key>PayloadDescription</key> <string>Provides device authentication (certificate or identity).</string> <key>PayloadDisplayName</key> <string>juniperuac-pri.qma.com.qa</string> <key>PayloadIdentifier</key> <string>com.qma.profile.credential</string> <key>PayloadOrganization</key> <string>qatar musuem authority</string> <key>PayloadScope</key> <string>System</string>
<key>PayloadType</key> <string>com.apple.security.root</string> <key>PayloadUUID</key> <string>1CBE9C47-E5A5-4BAF-B09C-BFC107C4ADBF</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string>Profile description.</string> <key>PayloadDisplayName</key> <string>QMA</string> <key>PayloadIdentifier</key> <string>com.qma.profile</string> <key>PayloadOrganization</key> <string>qatar musuem authority</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>BB69600C-540F-4C90-B04E-582E622D06FC</string> <key>PayloadVersion</key> <integer>1</integer>
</dict>
</plist>

This is the configuration .I have read through the existing forums and have made the highlighted changes to user profile but still while logging in it show " NO NETWORK" and doesnt work as it used to work in 10.6.8 version.Please kindly help me out as soon as possible.

38 REPLIES 38

alexjdale
Valued Contributor III

Probably need this in there, mine is after the "HIDDEN_NETWORK" entry:

<key>Interface</key> <string>FirstActiveEthernet</string>

It needs to bind the configuration to a NIC or else it will not automatically authenticate.

Like this:

<key>HIDDEN_NETWORK</key>
<false/>
<key>Interface</key>
<string>FirstActiveEthernet</string>
<key>PayloadDescription</key>
<string>Configures wireless connectivity settings.</string>

Does the profile install correctly, and authenticate correctly when you manually click the "Connect" button in Network Preferences' 802.1x section for your Ethernet? If so, you just need to get the system to automatically connect on startup.

kiddling
New Contributor

Thanks a lot for your reply!!...

Heres what i gave looking into your answer for another post.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>PayloadContent</key> <array> <dict> <key>AuthenticationMethod</key> <string>directory</string> <key>AutoJoin</key> <true/> <key>EAPClientConfiguration</key> <dict> <key>AcceptEAPTypes</key> <array> <integer>21</integer> <integer>25</integer> </array> <key>OneTimeUserPassword</key> <false/> <key>SystemModeCredentialsSource</key> <string>ActiveDirectory</string> <key>EAPFASTProvisionPAC</key> <false/> <key>EAPFASTProvisionPACAnonymously</key> <false/> <key>EAPFASTUsePAC</key> <false/> <key>TTLSInnerAuthentication</key> <string>MSCHAPv2</string> <key>UserName</key> <string></string> <key>UserPassword</key> <string></string> </dict> <key>EncryptionType</key> <string>Any</string> <key>HIDDEN_NETWORK</key> <false/> <key>Interface</key> <string>FirstActiveEthernet</string> <key>PayloadDescription</key> <string>Configures wireless connectivity settings.</string> <key>PayloadDisplayName</key> <string>Wi-Fi (test)</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>com.test.profile.wifi</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>com.apple.firstactiveethernet.managed</string> <key>PayloadUUID</key> <string>4707BCF9-6233-4E0A-BB3E-2EF46E702CA9</string> <key>PayloadVersion</key> <integer>1</integer> <key>ProxyType</key> <string>None</string> <key>SetupModes</key> <array> <string>System</string> </array>

</dict> </array> <key>PayloadDescription</key> <string>Wired 802.1x Profile</string> <key>PayloadDisplayName</key> <string>Wired 802.1x</string> <key>PayloadIdentifier</key> <string>com.test.profile</string> <key>PayloadOrganization</key> <string></string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>7A34EB66-B956-43FC-B3C7-8CF7B87FF9CA</string> <key>PayloadVersion</key> <integer>1</integer>
</dict>
</plist>

Heres what i have given ...when i click on connect button...authentication happens successfully but when i log off and try logging in as a domain user .It shows the red button and says 'no network connectivity'.I don't understand whats wrong!I am new to MAC .We do 802.1x in windows .It works fine with its native supplicant but dont understand whats different in MAC.What has to be done for machine authentication to happen in MAC?Please do help me out!I am in this situation for quite a long time.Is it because am editing mobileconfig file or do i need to have a lion server and use the profile manager??

kiddling
New Contributor

@alexjdale is there any other way to make profile other than OS X server profile manager?in 10.6 it works fine when i choose the system profile.

kiddling
New Contributor

@alexjdale any insight on this??

erik_emf
New Contributor II

Did anyone get this working, as I need this work on our ISE networked system?

Swift
New Contributor II

Does anything in this post help?
https://jamfnation.jamfsoftware.com/discussion.html?id=3387

Kaltsas
Contributor III

JAMFs wired profiles are broken. There are multiple defects.

In the case of PEAP configuration the computer credentials are not sent.
In the case of TLS configuration the profile does not select the correct certificate for the identity credential.

You will have to hand craft a profile or spin up a profile manager instance to generate a working profile. You will then need to sign the profile before uploading to casper or else the JSS will mangle it.

There is also a bug in Apple's framework that the profile ONLY applies to the first ethernet port detected. This is not an issue on the few macs that have built in ethernet but it is a huge problem on devices that require a dongle. I have a ticket open with Apple but there is little movement on it. I have been asserting to them that the profile should apply to ANY ethernet port not the first one ever detected.

Additionally there are some peculiar default Radius settings in ISE that will reject supplicants from authenticating. These settings affect multiple devices but the issues were more prevalent in the Macintosh population.

If possible look me up on Slack and I will try to assist. I have 802.1x wired authentication working in an ISE environment, well working as much as can be expected with the bugs and caveats listed. It took a couple months to get into a working state.

erik_emf
New Contributor II

Hi Kaltsas,

I am strugging to get our ise to work with MAC's not sure if your could help?

AVmcclint
Honored Contributor

The strange thing is that it USED to work just fine. Unfortunately you have to go back to somewhere around JSS 9.3(?) to create a working Config Policy that works with Wifi and Ethernet. The biggest drawback is that 9.3(?) doesn't give you the option to check the box to "Allow all applications to access the certificate" because that option didnt exist. I'm still using a Config Profile created back then. I've tried creating a new one under JSS 9.8 and it fails to work with Ethernet.

Kaltsas
Contributor III

My contacts at JAMF tell me the current defects have been in since 9.63. You will have to hand craft a profile or spin up a profile manager instance to generate a working profile. This needs to be signed so it is uploaded to the JSS as read only.

Additionally there is a nasty bug on the Apple side that prevents the ethernet profile from applying to anything but the first active ethernet port. This is giving me a whole lot of heartburn when it comes to imaging devices that do not have a built in ethernet port. I have a case open with apple but it has not seen any movement for months. It's with the "product engineers". I expect the priority is quite low given the low number of systems that probably have a wired 802.1x device credential requirement. If anyone is doing wired 802.1x and would be willing to replicate and report this bug to apple to give it more traction I would be immensely grateful.

@erik_emf Can you give me more specifics about the requirements in your environment? What is the identity credential? User credentials? computer credentials with PEAP? TLS Certificates?

There are some ISE defaults that can cause some real pain even after getting the profiles to work.

If you had an opportunity to pop on the macadmins slack I could work with you on real time on this, time permitting.

perrycj
Contributor III

@Kaltsas Any luck with getting on a 9.92 JSS and seeing if the couple bugs JAMF squashed with regards to 802.1x/ethernet/EAP-TLS have helped you at all?

We also use ISE but the issue we are facing, even after getting a QA JSS on 9.92, is that our 802.1x ethernet profile using EAP-TLS doesn't select the appropriate certificate to authenticate. It instead prompts the user to select the correct certificate. If that correct certificate is selected, the user then authenticates fine via EAP-TLS on ethernet and gets on the network. However, it should connect automatically without user interaction.

Apple tells me it's because system mode isn't defined in the XML of the configuration profile. They also told me that with server 5 and up, when you make an ethernet payload in profile manager, it automatically puts in system mode. I don't see that happening though. Before ever adding it to the JSS, I inspected the XML and that system mode key is not there.

Kaltsas
Contributor III

I have updated to 9.92 but I have not tested the built in profiles. My uploaded/signed profile is working and in production so there is little value in moving to the built in profile at this point.

Profile Manager by default only creates user profiles, you have to create a device group for system mode profiles, you must have working DNS, and the servers hostname must match its FQDN.

The issue you are describing sounds like a bug I have logged with Apple where a system mode 802.1x profile does not always apply to the client on subsequent ethernet adapters beyond the ethernet adapter connected when the profile is installed. When using a TLS certificate the user can still select a certificate as an identity credential. But you are saying you experience this behavior all the time? When the profile is installed does it say it is a Device Profile in the Profiles System Preferences pane?

When using the JSS built in profile you are saying that configuring Level ¬ Computer Level (with Use as a Login Window configuration unchecked) the following key and value are not present if you download and inspect the profile XML?

<key>PayloadScope</key>
<string>System</string>

perrycj
Contributor III

@Kaltsas That's correct, that key is not there if you make a profile in the JSS from scratch for ethernet 802.1x. I was able to find an older profile for EAP-FAST ethernet with 802.1x from profile manager on Server 4 and as long as I sign it first, upload it to a 9.92 JSS, it works.

However, we are trying to implement EAP-TLS and for some reason in the current profile manager when I generate and download a configuration profile for ethernet, the system mode key is not present. I'm working with Apple though on that and hopefully they can provide some clarity to get it working.

perrycj
Contributor III

@Kaltsas Just in an effort to keep this thread updated.. with my discussions with JAMF, they have filed one product defect and another is on the way. These defects revolve around missing keys in the XML for ethernet configuration profiles. One is the key you mentioned above and the other is

<key>SetupModes</key>
<array>
<string>System</string>
</array>

It seems even after the 9.92 release, 802.1x ethernet profiles cannot be made from scratch with the JSS and be in system mode. They will always be in user mode. This does not seem to apply to wireless profiles, although I haven't fully tested that since our Wireless 802.1x profiles using EAP-TLS have been working 100% for quite some time now.

If the profiles are first made in profile manager, signed and then uploaded to the JSS, they will work as expected.. and this aligns with what you mentioned in your earlier reply. JAMF also states you can make it first in the JSS, download it, add the missing keys to the XML, sign it and upload it back to the JSS but that's a little much when you can just make it in profile manager to being with.

m6jamf
New Contributor II

Hi all,

Would it make sense to open another ticket with JAMF about this? Is there an update as to when the fix will be incorporated in an upcoming JSS release?

Kaltsas
Contributor III

If the issue is affecting your organization you should open a ticket and get associated with the defect. As is, if you need a system mode 802.1x wired ethernet profile you will need to make it in profile manager, sign it, and upload it. Or do some hand crafting, sign it, and upload it.

I recently received word from Apple that my primary issue (system mode 802.1x wired profile not applying to all ethernet interfaces) finally has the ear of someone high up in product engineering. I have been performing a number of testing permutations at the request of Apple and I finally have some hope the issue will be addressed in 10.12.

perrycj
Contributor III

@Kaltsas That's great news. After we solved this, we are now experiencing your bug and it's very annoying. Have you tested it in any of the beta builds of 10.12 yet?

Kaltsas
Contributor III

It is still present in the latest seed of 10.12 but I spoke to an engineer yesterday that assured me this issue finally has high priority in product engineering and to expect a seed with a proposed fix to test soon.

m6jamf
New Contributor II

I am surprised this is not big. Is wired 802.1x really that much underdeployed? I am hitting the same issue you reported @Kaltsas, as most of our company's Macbooks use a dongle for wired service. Would

<string>com.apple.firstactiveethernet.managed</string>

and

<string>FirstActiveEthernet</string>

need to be replaced in the Profile created by the Profile Service in cases where Ethernet is provided via Thunderbolt?

Kaltsas
Contributor III

There are several values in Apple's dictionary but Apple told me FirstActiveEthernet is the only one you should use. I think most organizations are doing user authentication not device authentication, at least many of the ones I have talked to.

At any rate I hope to hear back from my engineer contact soon with a 10.12 seed that will finally fix this issue (I have had a case open for close to a year now).

perrycj
Contributor III

@Kaltsas Wanted to update this thread. So working with Apple Enterprise support, they gave me a ruby script and launchdaemon, and it seems to have done the trick. The only requirement was to make sure you have the primary (or first) ethernet connection as the active connection when ran. So if you use thunderbolt-ethernet adapters as the first ethernet connection, make sure you're using that when running. Here is the script:

#!/usr/bin/env ruby

require 'cfpropertylist'
require 'shellwords'
require 'syslog'
require 'tmpdir'

PreferencesPlist = '/Library/Preferences/SystemConfiguration/preferences.plist'
#PreferencesPlist = '/tmp/preferences.plist'

# setup logging
Syslog.open unless Syslog.opened?
%w{ emerg alert crit err warning notice info debug }.each_with_index { |level, i|
  eval <<-EOF
    def log_#{level}(*args)
      fmt = args[0]
      fmtargs = args[1..-1]
      if fmtargs.empty?
        fmt.gsub!("%", "\%")
      end
      if $stderr.isatty
        $stderr.printf(fmt.chomp + "
", fmtargs)
      end
      Syslog.log(#{i}, *[fmt, *fmtargs])
    end
  EOF
}

def load_plist data
  CFPropertyList.native_types(CFPropertyList::List.new(:data => data).value)
end

# preferences.plist as a Ruby object
def preferences_plist
  load_plist(File.read(PreferencesPlist))
end

# get the interface dictionary from current set
#
# returns an object like this:
=begin
[{"en0"=>
   {"EAPOL"=>
     {"LoginWindowProfileIDs"=>["C0828805-BB75-490A-A08E-EEEAF54F6FD0"],
      "SystemProfileID"=>"C0828805-BB75-490A-A08E-EEEAF54F6FD0"}},
  "en1"=>
   {"AirPort"=>
     {"JoinModeFallback"=>["DoNothing"],
      "PowerEnabled"=>false,
      "RememberJoinedNetworks"=>true,
      "Version"=>2200}}},
 ":Sets:485376D2-8C83-48B2-9CDE-4A5EB4C3BED3:Network:Interface"]
=end
def get_interface_and_path prefs
  path = ['', 'Sets']
  curset = prefs['CurrentSet'].split('/').last
  path << curset
  path += ['Network', 'Interface']
  [prefs['Sets'][curset]['Network']['Interface'], path.join(':')]
end

# return array of device names for ethernet interfaces
def ethernet_interfaces prefs
  prefs['NetworkServices'].select { |uuid, data|
    begin
      data['Interface']['Hardware'] == 'Ethernet' and
      data['Interface']['DeviceName'] =~ /^en[0-9]+$/
    rescue
      nil
    end
  }.map { |uuid, data|
    data['Interface']['DeviceName']
  }
end

# return array of device names for active ethernet interfaces
def active_ethernet_interfaces prefs
  ethernet_interfaces(prefs).select { |if_name|
    ifconfig_output = `/sbin/ifconfig #{if_name} 2>/dev/null`
    ifconfig_output =~ /status: active/m
  }
end

def main *argv
  prefs = preferences_plist
  if_data, if_path = get_interface_and_path prefs
  eth_ifs = ethernet_interfaces prefs
  active_eth_ifs = active_ethernet_interfaces prefs

  log_debug("interface: #{if_data.inspect}")

  # find interfaces with an EAPOL configuration
  first_eapol_cfg = nil
  eapol_cfgs = {}
  eth_ifs.each { |if_name|
    if if_data[if_name]
      if if_data[if_name]['EAPOL']
        first_eapol_cfg = if_data[if_name]['EAPOL'] unless first_eapol_cfg
        eapol_cfgs[if_name] = if_data[if_name]['EAPOL']
      end
    end
  }

  # are there zero interfaces with an EAPOL configuration?
  if eapol_cfgs.empty?
    # YES: You probably have not installed a network profile.
    log_notice("no ethernet interfaces with EAPOL configuration")
    return 0
  end

  # build list of active interfaces without EAPOL configurations
  active_ifs_without_eapol = active_eth_ifs - eapol_cfgs.keys
  log_debug("active ethernet interfaces: #{active_eth_ifs.inspect}")
  log_debug("ethernet interfaces with EAPOL: #{eapol_cfgs.keys.inspect}")
  log_debug("active interfaces without EAPOL: #{active_ifs_without_eapol.inspect}")

  # is there an active interface without an EAPOL configuration?
  if not active_ifs_without_eapol.empty?
    log_notice("active ethernet interfaces without EAPOL: #{active_ifs_without_eapol.inspect}")

    # YES: at least one active interface doesn't have EAPOL configuration
    Dir.mktmpdir { |td|

      # write a temporary plist with the EAPOL configuration
      pl_path = File.join(td, 'eapol.plist')
      File.open(pl_path, 'w') { |f| f.write first_eapol_cfg.to_plist }

      # we'll do everything with a single PlistBuddy command
      plbcmds = []

      # for each active interface without EAPOL config, add EAPOL config
      active_ifs_without_eapol.each { |if_name|

        this_if_path = if_path + ":#{if_name}"
        this_if_eapol_path = if_path + ":#{if_name}:EAPOL"

        # create the interface dictionary if it doesn't exist
        unless if_data[if_name]
          plbcmds << Shellwords.shelljoin(['Add', this_if_path, 'dict'])
          plbcmds << Shellwords.shelljoin(['Add', this_if_eapol_path, 'dict'])
        else
        # if the interface dictionary exists, but EAPOL dict doesn't, create it
          if not if_data[if_name]['EAPOL']
            plbcmds << Shellwords.shelljoin(['Add', this_if_eapol_path, 'dict'])
          end
        end

        # merge interface's EAPOL dictionary with temp file
        plbcmds << Shellwords.shelljoin(['Merge', pl_path, this_if_eapol_path])
      }

      # finish the PlistBuddy interactive commands
      plbcmds << "Save"
      plbcmds << "Exit"
      log_debug("PlistBuddy interactive commands:
#{plbcmds.join("
")}")

      # run PlistBuddy
      plbcmd = Shellwords.shelljoin(['/usr/libexec/PlistBuddy', PreferencesPlist])
      plbcmd << " 2>&1"
      log_debug("PlistBuddy command: #{plbcmd}")
      log_notice("updating preferences...")
      plbout = IO.popen(plbcmd, 'w') { |io| io.puts plbcmds.join("
") }
      log_debug("$?: #{$?.inspect}")
      if $?.exitstatus == 0
        log_notice("updated preferences successfully")
        system "killall configd" # restart configd
      else
        log_notice("updating preferences failed:
#{plbout}")
      end
      return $?.exitstatus
    }

  else

    # NO: each active interface has EAPOL config, so do nothing
    log_notice("zero active ethernet interfaces without EAPOL")
    return 0

  end

end

if __FILE__ == $0
  rv = main(*ARGV)
  exit rv.is_a?(Fixnum) ? rv : 1
end

And here is their launchdaemon:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <true/>
    <key>Label</key>
    <string>com.apple.AppleCare.update-ethernet-eapol</string>
    <key>LaunchOnlyOnce</key>
    <true/>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/libexec/update_ethernet_eapol.rb</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

Which is basically just telling the ruby script to run upon login. What worked for me was..

  • Deploying script and loading the launchdaemon with first ethernet connection enabled and connected.
  • Reboot
  • Log back in, connect 2nd ethernet connection (in our case a targus dock with it's own ethernet port)
  • Should now connect automatically, just like the first ethernet connection as well. The 802.1x profile should now stay in system mode and not revert to User mode.
  • If that didn't work, reboot one more time (although I don't think a 2nd reboot will be needed)

The script itself doesn't need any modifying, but just maybe the launchdaemon if you want a different location. Hopefully this helps you out and also hopefully this is solved on it's own in 10.12, as Apple has stated to you so far.

Kaltsas
Contributor III

Appreciate the response. I have that script and process (have had it since November) but my experience with it has been inconsistent. Periodically a client with the 2nd ethernet connection will prompt the user to select a configuration (one of which is the profile), then when they select the profile, User Mode.

Also not sure if you should share it here, I don't know if there is any Copyright/IP issues that Apple would not want it distributed outside of their enterprise support customers.

perrycj
Contributor III

@Kaltsas No problem. I figured you might since you've been working with them extensively but wanted to share anyway.

Sad to hear it's been inconsistent. Nothing was branded as Apple confidential to me or in the script, so I'm sure it's fine. If I hear anything else, I'll let you know.

jayd_ch
New Contributor

@Kaltsas @perrycj

The Script worked for me, but I found an easier way. If you get the Login-Window for 802.1x (for me thats the User-Mode) just install your Profile again (do not delete the existing profile) manually and reconnect the cable, it should stay now in System-Mode.

That worked for me.

TreviñoL
Contributor

We had to create a new SCEP Template (UPN added) on the Windows CA (2008) and place the Mac workstation on a new OU in AD (2008) to get it working as expected. In fact we got the Mac's workings with 802.1x before Windows machines.

perrycj
Contributor III

@jayd.ch So we are using machine based authentication and therefore cannot use the login window for authentication.

The profiles are defined as system mode (made in profile manager and then signed before uploading to the JSS) and should connect automatically using EAP-FAST or EAP-TLS or even another method. And they do, as long as they are made in profile manager and signed before uploading.

However, the other issue (confirmed by Apple) is that the profile, in system mode, currently only applies to the first ethernet connection that Mac connects with. Be it be a thunderbolt-ethernet adapter or a dock connection and then when a 2nd or 3rd connection is attempted , the profile then goes back to User mode and prompts for credentials instead of automatically connecting.. even though the profile is still defined as system mode and has the system mode keys.

That's what we were referring to above.

According to Apple, it will be (most likely) fixed in 10.12.

Kaltsas
Contributor III

I wouldn't say they've said it will be fixed, I've been told it has the ear of product engineering (finally). There were AD bugs in 10.10 that had the ear of product engineering that didn't get until several minor releases later. I am glad to see recent movement on this having had my case open with Apple for almost a year.

Kaltsas
Contributor III

@perrycj So I think I figured out my problem, and have just spoke with the support engineer to confirm. The supplied script appears to work fine with Thunderbolt devices but does not resolve the System Mode/User Mode issue with USB to Ethernet Adapters. I'm glad I have figured out the reason for the flakey behavior I was experiencing. Thankfully I'm one of the only ones that has a USB to Ethernet Adapter, usually we recommend the TB (for obvious speed reasons).

I did make sure to ask about time frame for resolution with product engineering and it was indicated that there is currently no ETA for a permanent fix.

perrycj
Contributor III

@Kaltsas That's great to hear. In my testing so far, it has been with the thunderbolt-ethernet adapters being the first ethernet connection and a targus dock via usb cable being the 2nd. So far, in limited testing I'll admit, it has been consistent and fixed the issue.

Apple Enterprise Support also told me the same thing although the support engineer asked me specifically for the number of affected Macs. I let him know it was in the 1000s and he assured me he would be in product engineering's ear.

francksartori
New Contributor III

Hi.
Do you guys have recent informations about this issue ?
I've done some testings today with macOS 10.12.4.
I may restore a Mac with an Apple Thunderbolt to Ethernet adapter or with a DELL USB 3.0 D3100 Dock.
So the first active Ethernet connection of the restored Mac may be the Apple adapter or the DELL dock...
What I tested today is that my NAC profile (EAP-TLS) is ok for the two situations... but the idea is that a Mac restored with one adapter should authenticate the same way with the other adapter. Actually I have a script that detects regularly new network hardware and configures the Proxy settings on it. Now I will see tomorrow if macOS is now able to apply my NAC settings to any first Ethernet connection whatever it is.
Best regards.

macgecko2
New Contributor

In 10.13.x look like com.apple.globalethernet.managed could be used. has anyone done with successfully?

francksartori
New Contributor III

Hi.
Yes. I'm actually using it in a context of a Profile Manager used to generate manually Network configuration profile.
The profile contains a Wi-Fi Payload and an Ethernet Payload applied to "all" Ethernet interfaces.
The 802.1X connection shifts automatically on the active Ethernet interface.
That was a long wait !
Best regards.

kuoirad
New Contributor

I'm presuming this is for 10.13 only? I'm seeing this problem (I suspect) on machines I have with 10.12. We haven't upgraded yet. I have a profile that works for wired ethernet, but I'm seeing problems with a few machines that have a thunderbolt dock in addition to a Dell usb-c dongle we've provided them.

francksartori
New Contributor III

Yes, it is for macOS 10.13.

mikedina
New Contributor

By creating a custom profile where we limited the TLS version to 1.0, we were able to resolve this. Apparently, Apple has disabled SHA-1 ciphers in High Sierra. More info in link.

https://communities.cisco.com/message/279311#279311

ammonsc
Contributor II

Does anyone know if there is a way to script a disconnect/pause/reconnect of the 802.1x authentication?

10.13.Macs are not connecting on first try and then do not appear to respond to the ISE server. If I disconnect and reconnect then it works as planned. If I could script that to happen when an ethernet connection is detected that would work.

ewinterbourne
New Contributor III

@ammonsc I'm looking at this also at the moment. My issue is when you start a FileVaulted Mac up with the ethernet cable connected The switch begins the 802.1x negotiation. From what I understand in our environment, this window is open for 30secs before it moves over to web authentication/wired MAB policies. By the time that the macOS has fully booted up, this 30 second window is over and the machine authentication doesn't complete. The only way to invoke the it is to physically disconnect the network cable and reconnect.

I'm thinking maybe a simple script to do the following at login:

#!/bin/sh
ifconfig en0 down
ifconfig en0 up

Did you manage to find a way to do this?

jeroschwab
New Contributor II

@Kaltsas did you get any solution for the reconnection of the 802.1x with an USB ethernet adapter?