Help

Extension Attribute Help - Looking to pull Authenticated via information from a specific SSID

Go to solution
TheITGuy69
Contributor

Posted on ‎10-27-2022 12:49 PM

HI All,

 Searched all over and couldn't find this.

 

Looking to create an extension attribute that pulls the authenticated via for a specific ssid.

 

The use case is, we currently allow users to connect to the corporate wifi with username and password , but it gives them a limited network connect , they cannot connect to all services. 

that shows up as Authenticated via EAP-PEAP (MSCHAPv2)

we just implemented 802.1x scep cert authentication.

That shows up as Authenticated via EAP-TLS

WE plan on deploying the new configuration profile for the 802.1x but want to make sure users are connecting with the new profile and not the old one

Screen Shot 2022-10-27 at 3.34.06 PM.png

 

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
daniel_behan
Contributor III

Posted on ‎10-31-2022 06:20 AM

If your Configuration Profile is set for System instead of User, then the new profile will put the SSID into the system keychain.  If your users are manually joining the WiFi, their entries for the SSID are most likely in their login.keychain.  I have an Extension Attribute that looks to see if someone manually joined the Corporate WiFi instead of joining via the System Configuration Profile.  Replace <SSID> with the name of your Corporate WiFi.

#!/bin/bash

loggedInUser=$(stat -f%Su /dev/console)
loggedInUID=$(id -u "$loggedInUser")

ssidcheck=$(security find-generic-password -l <SSID> /Users/$loggedInUser/Library/Keychains/login.keychain-db | grep svce | cut -d '"' -f4)
if [ "$ssidcheck" = "com.apple.network.eap.user.item.wlan.ssid.<SSID>" ]; then
        result="SSIDPresent"
else
        result="SSIDNotPresent"
fi

echo "<result>$result</result>"

 

View solution in original post

Reply
3 REPLIES 3

Go to solution
TheITGuy69
Contributor

Posted on ‎10-27-2022 01:10 PM

After the profile is pushed, user gets requested to select the cert on a network change or reboot. 

Then it shows up EAP-TLS under Authenticated via.

 

Users that don't have it already set up connected via username and password don't get prompted for cert. 

Can't delete that profile ahead of time since it might be their only connection. 

-minor disruption.

0 Kudos
Reply

Go to solution
daniel_behan
Contributor III

Posted on ‎10-31-2022 06:20 AM

If your Configuration Profile is set for System instead of User, then the new profile will put the SSID into the system keychain.  If your users are manually joining the WiFi, their entries for the SSID are most likely in their login.keychain.  I have an Extension Attribute that looks to see if someone manually joined the Corporate WiFi instead of joining via the System Configuration Profile.  Replace <SSID> with the name of your Corporate WiFi.

#!/bin/bash

loggedInUser=$(stat -f%Su /dev/console)
loggedInUID=$(id -u "$loggedInUser")

ssidcheck=$(security find-generic-password -l <SSID> /Users/$loggedInUser/Library/Keychains/login.keychain-db | grep svce | cut -d '"' -f4)
if [ "$ssidcheck" = "com.apple.network.eap.user.item.wlan.ssid.<SSID>" ]; then
        result="SSIDPresent"
else
        result="SSIDNotPresent"
fi

echo "<result>$result</result>"

 

Reply

Go to solution
TheITGuy69
Contributor
In response to daniel_behan

Posted on ‎10-31-2022 10:57 AM

Thanks!

I had to change the 1st 2 lines to this for it to work for me. A better way to do it , i'm being told. 

 

loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

 

0 Kudos
Reply