Skip navigation

How can I create an 802.11x system profile?

41892 Views 68 Replies Latest reply: Aug 30, 2013 6:15 AM by Peter-Erik RSS
1 2 3 ... 5 Previous Next
natevancouver Level 1 Level 1 (10 points)
Currently Being Moderated
Jul 20, 2011 3:17 PM

How can I create a system-wide 802.11x profile in Lion? This would allow the Mac to connect to the wireless network at startup, before login.

 

In Snow Leopard there was a “+” button on the 802.11x screen that let you create a system profile. In Lion you have to use the iPhone Configuration Utility (yes iPhone) to create a configuration profile, which you then import on the Mac.

 

But as far as I can tell that only creates a user profile. With a user profile the wireless network is not connected until after you log in.

  • DrVenture Level 2 Level 2 (180 points)
    Currently Being Moderated
    Jul 20, 2011 3:18 PM (in response to natevancouver)

    You have to use Profile Manager on Lion Server to create System Mode or Login Window mode profiles for Lion clients.

  • DrVenture Level 2 Level 2 (180 points)
    Currently Being Moderated
    Jul 20, 2011 3:29 PM (in response to natevancouver)

    There is no way to do it without Lion server. Remember Lion server is now free. You can also do a reinstall on any Lion client (choose customize) to install server. Then just download the server app from the App store and you can configure profile manager.

  • William Lloyd Level 6 Level 6 (19,220 points)
    Currently Being Moderated
    Jul 20, 2011 3:35 PM (in response to natevancouver)

    You need Lion Server on a system to create the profiles.

     

    Lion Server is $50 and available from the App Store.  You'll probably want at least one machine with it to generate the profiles.

     

    Another option might be to script 'networksetup' to create the profiles from the command line.  This is not a trivial exercise, but would likely work if you were a command-line expert and had a bunch of knowledge about all networksetup's options and your 802.1X environment.

  • DrVenture Level 2 Level 2 (180 points)
    Currently Being Moderated
    Jul 20, 2011 3:40 PM (in response to William Lloyd)

    I stand corrected. I just checked and server is indeed 50 bucks. Darn you developer preview =).

     

    Yes, networksetup is another option it can be a little overwhelming. I would just spend the 50 dollars and use profile manager.

  • Gary_Parker Level 1 Level 1 (0 points)
    Currently Being Moderated
    Jul 21, 2011 3:48 AM (in response to DrVenture)

    Hi, I'm in a similar situation here: we operate 802.1x on both our wired and wireless network and, while our iPhone mobileconfig file is working on laptops at the moment, we can't get dekstop machines to auhenticate properly on the wired network.

     

    While we have a large Mac userbase on campus we operate a Microsoft Active Directory and have no intention of setting up a Lion server and Open Directory infrastructure just to get clients on the network. I need a way to create these Profiles without Lion Server. This is a serious problem.

  • DrVenture Level 2 Level 2 (180 points)
    Currently Being Moderated
    Jul 21, 2011 9:44 AM (in response to Gary_Parker)

    Gary,

     

    If you are not going to use System or Login window mode, then you can use IPCU to create the 802.1X profiles that will allow a Lion client to connect to either a wireless or wired 802.1X network. If you need System or Login window mode, then yes, you will need to set up a Lion server or use the networksetup utility.

     

    From my testing I have found the following to be true:

     

    1. A profile created with IPCU can be used for either the wireless or wired interface on a Lion client. If you want to create a wired profile, just enter bogus info for the SSID, the wired interface will ignore it. If you decided to check out Lion server, you can specify wired or wireless interfaces, so you do not have to enter a bogus SSID if you want a "wired" only profile.

     

    Another thing is again with Profile Manager (Lion Server), WiFi 802.1X profiles can be used with wired interfaces, however, wired 802.1X profiles CANNOT be used with WiFi because it lacks an SSID.

     

    2. Lion client now supports an "802.1X automatic" mode with wired. Meaning, if you plug a Lion client into a switch that supports 802.1X authentication, the Lion client with start the EAPOL supplicant when it sees an EAP ID request. If, the EAP type can be auto neg by the Lion client, it will prompt the user to enter user credentials, or a cert (in the case of TLS). So a profile is not needed in this case.

     

    If this auto connection mode is not desired, you can turn it off by going to System Prefs - Network - choose the Eth interface - advanced - 802.1X tab. You will see a check box to enable automatic connection.

     

    Hope this helps

  • Tunc Calculating status...
    Currently Being Moderated
    Aug 17, 2011 12:46 PM (in response to natevancouver)

    Is there a documentation or how-to about creating system profiles for wifi/ethernet in Lion server ??

  • cbrew325 Calculating status...
    Currently Being Moderated
    Aug 18, 2011 10:11 AM (in response to natevancouver)

    Create a User level profile using either IPCU or the Profile Manager in Lion Server.

     

    Once created, edit the file and add the following:

     

    <key>PayloadScope</key>

    <string>System</string>

     

    This should make your profile device level as opposed to user level.

  • Tunc Level 1 Level 1 (20 points)
    Currently Being Moderated
    Aug 18, 2011 10:10 AM (in response to cbrew325)

    thanks. I will try it.

     

    So I assume, there is no other way to do it. It's a bad thing actually, if the profile file encrypted is.

     

    Thanks again. And these should be the answer to these discussion, not some reply with lion server being free...

  • Steve-1029 Level 1 Level 1 (5 points)
    Currently Being Moderated
    Aug 18, 2011 7:30 PM (in response to natevancouver)

    LION on MBP

     

    Once I use the IPCU tool

    How the heck do you "save" the profile

    and then get the LION WiFi to use it ???

     

    steve

  • Tunc Level 1 Level 1 (20 points)
    Currently Being Moderated
    Aug 19, 2011 12:05 AM (in response to Steve-1029)

    You can export to a file and double click, or email yourself and open it.

     

    By the way, the system profile didn't work...

  • MennoTech Calculating status...
    Currently Being Moderated
    Aug 19, 2011 2:52 PM (in response to natevancouver)

    This is what worked for me:

     

    To get a system to work with an IPCU mobileconfig, create a working “user” profile and add the following items:

     

    Starting the line immediately below the SSID_STR key’s ‘<string>’ value, add this:

     

    <key>SetupModes</key>

    <array>

      <string>System</string>

    </array>

     

    Change "System" to "Loginwindow" to create a Login Profile

     

    Insert these lines immediately above the bottom-most PayloadType key line:

     

    <key>PayloadScope</key>

    <string>System</string>

     

     

    I was able to get both a System profile and a Login Profile working. No Lion servers involved for me just the iPhone Configuration Utility. 

     

    Taken from: http://www.iphoting.com/blog/archives/817-Lion-Wireless-Access-in-SMU.html

  • cbrew325 Level 1 Level 1 (15 points)
    Currently Being Moderated
    Aug 19, 2011 3:43 PM (in response to MennoTech)

    That's the missing piece to this puzzle.  Thank you very much.

1 2 3 ... 5 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.