Posted on 01-01-2016 12:03 AM
Hi everyone and happy new year.
I need to discuss how to make use of 802.1x Configuration Profiles. Something is not clicking with me.
We have Cisco ISE as a RADIUS server and the network devices (Cisco Wireless LAN Controllers) make calls to it for PEAP (MSCHAP-V2) authentications. The user identities in the RADIUS system are derived from an Active Directory using ISEs' AD connector.
My usage scenario that I am designing right now is 1:1 MacBooks. A decision has not yet been made about these devices being joined to the Active Directory. Using Casper Imaging I can easily have a named individualised local user account built that matches the machine 'owner'. We have already done this years using alternate deployment techniques and this would be the main reason for even bothering with a 1:1 machine joined to a directory.
My thought process at this point is around how to stage the wireless connection onto the devices. If I use the Casper tools to join AD as part of the imaging process I have been able to successfully make use of an 802.1x configuration profile containing EAP server and root CA certificates that is pushed to the device through via MDM at the end of the imaging process. This configuration profile makes an AD login possible at the OS X login window (which is a big win in itself and seems to work smoothly in testing). The login window changes to have the drop-down WiFi profile list available and a yellow dot appears in the username field. I presume this is how things are supposed to be.
HOWEVER, what happens if OS X is started when the machine is away from the WiFi network? If the user has already established their mobile account the system logs in fine. The OS X machine is then brought onto the premises in a sleep state. The machine wakes up and despite the wifi profile being on the machine, credentials are not passed for authentication. The user must log out and back in again to get a wireless connection. Is this behaviour for real?
That is the first part of my question. This second part of my question is the result of not being able to solve that undesirable behaviour.
If if use our old method of having a local account matching the persons' name built during the imaging process, then a wireless connection at the login window is not required. In this scenario I can either tell the user to join the wireless network manually or attempt to have it taken care of for them with the configuration profile that is delivered at the end of imaging via MDM.
If I tell the user to join the wireless network manually, the familiar certificate trust message will appear when the EAP tunnel is established. This occurs even if the certificate is signed by a public CA that trust stores normally trust (mine is signed by DigiCert). The goal is to suppress the certificate trust message. I understand the only way to do this is by using a configuration profile that contains the network settings as well as the certificate that is being presented for secured EAP communications and possibly the certificate of the signing CA and any intermediates (this is what I was doing sucessfully in my first question).
HOWEVER, if I attempt to do that, I need to populate the username/password fields in the configuration profile. How can I possibly know the username and password and have individualised configuration profiles for hundreds of users? These aren't generic logins.
I have tried leaving username/password fields blank (even though the JSS' configuration profile builder has [Required]), and this results in a profile on the OS X system that seems to be stuck in an authentication loop. It doesn't pass any credentials and it doesn't prompt the user to enter anything.
I want the 802.1x supplicant to prompt the user for their credentials and take advantage of the profile being present that contains the certificates so that there is no ugly prompt for the user to trust the certificate. These are assets owned by our organisation and can be staged however I need; not BYO where a trust message appearing would be acceptable.
Am I even on the right track here with understanding all of this? Is it solvable?
Thanks!
John
Posted on 01-04-2016 07:49 AM
John,
I have this exact issue. If you notice in your configuration profile it sets the authentication mode to "System" which means it tries to authenticate as the machine. Here is a python script I use to change this after I install the profile as a computer profile. Let me know if this helps:
#!/usr/bin/python
'''This script will fix Casper's inability to prompt a user
for their credentials to connect to wireless.
Joshua D. Miller - May 14, 2015 - josh@psu.edu
Penn State College of Education'''
import plistlib
import platform
# Set location of PLIST
NETWORK_PLIST = (
'/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist'
)
# Read Plist Data
NETWORK_PLIST_DATA = plistlib.readPlist(NETWORK_PLIST)
# Determine the OS
OS = platform.mac_ver()[0]
# If the system is running 10.7.5 - 10.9.5 use this action
# to address the issue
if OS >= "10.7.5" and OS <= "10.9.5":
NETWORKS = NETWORK_PLIST_DATA.get('RememberedNetworks')
for WIFI in NETWORKS:
if WIFI.get('SSIDString') == 'Your WiFi Name here':
if WIFI.get('SystemMode'):
WIFI['SystemMode'] = False
try:
plistlib.writePlist(NETWORK_PLIST_DATA, NETWORK_PLIST)
print NETWORK_PLIST + " Updated Your WiFi Name here WiFi."
except:
print "Could not write PLIST file.." + NETWORK_PLIST
if WIFI.get('SSIDString') == 'Your WiFi Name here':
if WIFI.get('SystemMode'):
WIFI['SystemMode'] = False
try:
plistlib.writePlist(NETWORK_PLIST_DATA, NETWORK_PLIST)
print NETWORK_PLIST + " Updated Your WiFi Name here WiFi."
except:
print "Could not write PLIST file.." + NETWORK_PLIST
# IF the system is running 10.10.0 or higher use this action
# to address the issue
elif OS >= "10.10.0":
NETWORKS = NETWORK_PLIST_DATA.get('KnownNetworks')
for KEY, VALUE in NETWORKS.items():
if VALUE.get('SSIDString') == 'Your WiFi Name here':
if VALUE.get('SystemMode'):
VALUE['SystemMode'] = False
VALUE['AutoLogin'] = True
try:
plistlib.writePlist(NETWORK_PLIST_DATA, NETWORK_PLIST)
print NETWORK_PLIST + " Updated Your Wifi Name here WiFi."
except:
print "Could not write PLIST file.." + NETWORK_PLIST
if VALUE.get('SSIDString') == 'Your WiFi Name here':
if VALUE.get('SystemMode'):
VALUE['SystemMode'] = False
VALUE['AutoLogin'] = True
try:
plistlib.writePlist(NETWORK_PLIST_DATA, NETWORK_PLIST)
print NETWORK_PLIST + " Updated Your WiFi name here WiFi."
except:
print "Could not write PLIST file.." + NETWORK_PLIST
I actually update 2 wireless profiles, our internal one and the eduroam one. This seems to work as a policy that is ongoing.
Posted on 01-24-2017 11:35 AM
Thanks for sharing this @josh.miller! What trigger(s) do you have set up for this script?
Posted on 01-24-2017 05:04 PM
@josh.miller We are having this exact same issue and it is driving everyone mad! could you please explain a little more about what/where you configured this script to solve the issue?
Thank you!!!
Posted on 02-07-2017 04:49 AM
@mlcasillo I configured this script to run as a policy that runs every check in because even though this changes the System mode flag, your profile can revert this. I would create a policy that runs at every check in and cache it offline.