Help

Lion and Identity Preference for WiFi

brian_flynn
New Contributor III

Posted on ‎11-14-2011 06:10 AM

I'm trying to setup a package for Lion clients to deploy an 802.1x profile
to configure the settings for WiFi at one of our locations, and could use
some help. The WiFi network uses TLS and the machines authenticate using
the machine account in AD and the computer's X509 certificate

I don't have a Lion server yet, so I've used the iPCU to configure a
profile that include the WiFi information and Trusted Server Certificate. I've then used Composer to create a package that copies the mobileconfig
to the local machine then run the "profiles -I -F" command. This works
well.

My problem is configuring the system with the Account and X509 Certificate
information. If I setup the WiFi connection manually, I'm prompted to
specify the Username and select the Certificate. Once I've done this it
creates two entries in the user's Keychain. So I'm trying to automate this
piece so user's can connect without being prompted for anything.

The first Keychain entry is an "802.1X Password" and the second is an
Identity Preference. The first contains the Username, the second appears
to basically tie the Computers certificate to the Wireless entry.

I've setup a Login Policy that runs a script once on the machines. The
script works well to create the 802.1X Password entry, but fails to create
the Identity Preference. The Identity Preference command returns ERROR 36,
which when I look it up is:

Error: 0x00000024 36 CSSM_ERRCODE_OBJECT_ACL_REQUIRED

Here's the script:

#!/bin/bash

loginUsername=$3

#Configure 802.1X Password Keychain Password
computerAccount=`/usr/sbin/dsconfigad -show | grep "Computer Account" | awk
'{ print $4 }'`
/usr/bin/security add-generic-password -a $computerAccount -D '802.1X
Password' -s com.apple.network.eap.user.item.wlan.ssid.WIRELESSNET -l
WIRELESSNET -A /Users/$loginUsername/Library/Keychains/login.keychain

#Configure Identity Preference for the User
certificateIdentity=`security find-identity -v | grep "X509 Certificate" |
awk '{print $2}'`
/usr/bin/su -l "$loginUsername" -c "/usr/bin/security
set-identity-preference -Z $certificateIdentity -s
com.apple.network.eap.user.identity.wlan.ssid.WIRELESSNET"

If I run these as the user myself they work as they should and both the
802.1X Password and Identity Preference are created. Any help or guidance
anyone can provide is greatly appreciated.

Thanks
Brian

0 Kudos
1 REPLY 1

sgoetz
Contributor

Posted on ‎04-15-2015 01:17 PM

@brian.flynn Did you ever get this to work. Im getting the same error using a similiar script as your to set Wifi Identity.

0 Kudos