Lion 802.1x

xian
New Contributor II

I've been having trouble with 10.7 configuration profiles on the wireless side. The AD-bound Mac is authenticating to a Radius server using EAP-TLS. The request is presented (or interpreted) as coming from a user, rather than a system. What changes do I need to make to either the Radius server or the configuration profile in order for the supplicant to be recognized as a system and not a user?

13 REPLIES 13

jhbush
Valued Contributor II

I use PEAP with a configuration profile that was made in iPCU. I added the loginwindow array manually to grab a kerberos ticket for authentication at login. I use the Profiles command to install it.

morrist
New Contributor

Check out this discussion for a blow by blow account..
https://jamfnation.jamfsoftware.com/discussion.html?id=4046

nanfay
New Contributor III

If what you want is a System Profile that connects to your 802.1X profile at startup, you need to use Lion Server. It cannot be done from the iPCU. On Lion Server, from the Server app, enable Device Management, and then setup a profile scoped devices instead of users, which will give you a System Level profile for 802.1X.

williape
New Contributor

I ended up adding "host/" to the beginning of the common name in the CSR so that the cert issued for authentication had this prefix. Depending on what you're using for access control you can then tell the server to identify incoming requests with the "host/" prefix as a machine authentication sessions instead of a user authentication and to then exclude the "host/" when doing a lookup for the machine name in AD.

cbrewer
Valued Contributor II

If you want system or login mode profiles, you must create them with Profile Manager from 10.7 Server or manually hack up an IPCU mobileconfig file.

To get system to work with an IPCU mobileconfig, create a working “user” profile and add the following items:

Starting with the line immediately below the SSID_STR key’s "<string>" value, add this:

<key>SetupModes</key>
<array>
<string>System</string>
</array>

Insert these lines immediately above the bottom-most "<key>PayloadType</key>" line:

<key>PayloadScope</key>
<string>System</string>

bentoms
Release Candidate Programs Tester

Hi Eric,

Have you any documentation on what you did? i think i'm facing the same issue..

the mac's are authenticating as users & not the computers despite having a valid cert from AD.

If I set the MSCHAPv2 Outer Identity to host/$COMPUTERNAME.mydomain.com it still fails.

AAA Authentication Failure for UserName:host/COMPUTERNAME.mydomain.com User Type: WLAN USER

bentoms
Release Candidate Programs Tester

NVM figured mine out.

The missing step was to set the profile to use "Directory Authentication" with the Computername (the assumption here is that this then uses the AD Cert with the same name to identify the client to the RADIUS server).

Cem
Valued Contributor

We are using SCEP with Casper Suite v8.6. Which offers a nice variables for configuration profile as well as Dynamic Challenge Password option.

We can get the cert using SCEP config profile. But it seems that we will need the TLS wifi payload within the same config. So this gives us an option to select SCEP as a cert automagically.
But doing this still didn't work – it looks like eapol client is struggling to get the trust?!

After playing around with the Configuration xml file I've got it working. Thanks to this blog:
https://discussions.apple.com/thread/3682999?start=0&tstart=0

I had to export the config profile from JSS, then import it in to IPCU to get rid of the signature. This way I can edit the Username under TLS Authentication (host/$COMPUTERNAME.example.com) then export it without signing. Future request will be created for adding the iPCU like Authentication tab in JSS Wi-Fi payload.
I have then added the following lines in Text Wrangler:

<key>SetupModes</key>
               <array>
                    <string>System</string>
                    <string>Loginwindow</string>
               </array>
               <key>PayloadScope</key>
               <string>System</string>

here is the full wi-fi payload in xml. I am only putting it here for you to compare it and see where to add the above part...

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
          <dict>
               <key>AutoJoin</key>
               <true/>
               <key>EAPClientConfiguration</key>
               <dict>
                    <key>AcceptEAPTypes</key>
                    <array>
                         <integer>13</integer>
                    </array>
                    <key>EAPFASTProvisionPAC</key>
                    <false/>
                    <key>EAPFASTProvisionPACAnonymously</key>
                    <false/>
                    <key>EAPFASTUsePAC</key>
                    <false/>
                    <key>UserName</key>
                    <string>host/computer_name.ad.example.com</string>
                    <key>PayloadCertificateAnchorUUID</key>
                    <array>
                         <string>CD1BE015-1D42-4402-AB02-71B283806BE9</string>
                         <string>49D8C78A-4E0E-408B-B4ED-DD200B068D09</string>
                    </array>
               </dict>
               <key>EncryptionType</key>
               <string>WPA</string>
               <key>HIDDEN_NETWORK</key>
               <true/>
               <key>PayloadDescription</key>
               <string>Configures wireless connectivity settings.</string>
               <key>PayloadDisplayName</key>
               <string>WiFi Config</string>
               <key>PayloadIdentifier</key>
               <string>com.example.profile.wifi.config</string>
               <key>PayloadOrganization</key>
               <string>Example, Inc.</string>
               <key>SetupModes</key>
               <array>
                    <string>System</string>
                    <string>Loginwindow</string>
               </array>
               <key>PayloadScope</key>
               <string>System</string>
               <key>PayloadType</key>
               <string>com.apple.wifi.managed</string>
               <key>PayloadUUID</key>
               <string>752F1A6C-673A-4026-BFBB-814172B1DB7A</string>
               <key>PayloadVersion</key>
               <integer>1</integer>
               <key>ProxyType</key>
               <string>None</string>
               <key>SSID_STR</key>
               <string>Test</string>
          </dict>

This is only wifi part of the xml. Remember you will need to use 3 payloads under the same configuration profile.
Network
SCEP
Certificate (upload all your Certificate chain from AD certsrv and trust them in Wi-Fi payload)

Import the config to JSS … then correct the Dynamic Challenge Password option in JSS SCEP config profile (IPCU won't have this function, so you will need to re-added).

Now I can fully automate this at system level (even at built). Users can actually login to their newly build Macs with using their AD credentials first time using wifi only… lovin' it!

Cem
Valued Contributor

BTW we are using EAP-TLS and our Macs are bound to Active Directory domain.

Samdy
New Contributor III

Could you send all file Network
SCEP
Certificate

???

Cem
Valued Contributor

Samdy
New Contributor III

Yes, thanks for the reply :-)

Now I did not have the Jamf pro to make a profile .mobileconfig so can you send me a file.mobileconfig then I will edit your file.

Thanks,

AVmcclint
Honored Contributor

@Samdy It doesn't work like that. No one is going to give you a copy of the mobileconfig for accessing their protected network. That's like asking someone for their house keys so you can modify it to fit your house. Not only that, but the specifics of the configuration will depend on how your network is configured: Servers, certificates, IDs, passwords, etc. You should work with your network engineers to find out the details of what is needed to connect to your network. Since you do not have JamfPro, then you will need to look into Apple's Profile Manager to see where you can input the settings your network team gave you.