Possible Solution: Wired 802.1X Configuration Profiles NetBoot and OS

SachinParmar
New Contributor

Hi All,

I just wanted to share some stuff around 802.1X configuration profiles and wired network, I know many people have been struggling with this but this is how I have managed to get this working in our environment, which is now 95% automated, here's how it works (hope it helps):

We currently have two configuration profiles, 1 for PEAP Authentication which can be used for Netboot/AD Binds/"Temporary Internet Authentication" using a stored username/password combination of a Service Account within the PEAP configuration profile, 1 for using Machine Certificate based 802.1X EAP-TLS Authentication after the machines have been bound to AD.

NetBoot Pre-Reqs:

OSX Image with PEAP and TLS profiles stored in accessible location, i.e. /Users/Shared/...

Netboot set with PEAP Configuration Profile copied in the Shared folder...

  1. When the NetBoot loads automatically (as root), I run a Automator workflow which installs the PEAP Profile using the "profiles -I -F /Users/Shared/(PEAP Configuration).mobileconfig file, this then gives me PEAP authentication on the network.

  2. Once the profile has installed the Workflow then opens Casper Imaging and analysts can then subsequently image the Mac's

During the Casper Imaging sequence, I removed all the software installs and run this as a policy after the machine has finished, so effectively when imagining a machine all I drop is the OS DMG image (the PEAP profile is located in this image - not installed as a configuration profile at this point - and then run a postimage.sh install script just before the automatic reboot on Casper Imaging where I have a command that does the "profiles -I -F /Users/Shared/PEAP Profile.mobileconfig" install then blesses the system.

OS:

After the OS boots back up, this should have PEAP authentication and can continue the "imaging sequence", I have mine set to build/complete policies after the "enrollmentcomplete" stage.

During this "Build" stage it does and AD bind, I can now then install the TLS Configuration profile whereby it will request a machine certificate from our AD certificate servers and change the authentication method to TLS.

I run another policy which removes the PEAP mobile config file from /Users/Shared/...

The 5% Manual bit...

At this point the OS has two configuration profiles installed, unfortunately if you automate the removal of the PEAP profile using the profiles command it breaks the connection, so this PEAP profile must be removed manually and then a "802.1X authentication" box appears whereby you need to drop the drop down list and select the machine name and hit OK the connection now becomes active again using TLS and one configuration profile. This is a one time process per user.

I hope that makes sense to all you folks if you guys have any improvements to that method or questions please let me know. It sounds convoluted but it really isn't!.

This is for information purposes only.

Sachin

EDIT: This works on OS X 10.10.3

0 REPLIES 0