Skip navigation

How can I create an 802.11x system profile?

41904 Views 68 Replies Latest reply: Aug 30, 2013 6:15 AM by Peter-Erik RSS
  • WHS ict Calculating status...
    Currently Being Moderated
    Aug 20, 2013 4:23 PM (in response to DrVenture)

    i'm not finding the option to create a system mode login, only a login window one. where is that in lion server?

  • °Bernz° Level 1 Level 1 (10 points)
    Currently Being Moderated
    Aug 20, 2013 4:40 PM (in response to WHS ict)

    Hi WHS,

     

    It's a bit confusing in the Profile Manager interface, but the way I solved it is that in the Network payload, I check the box Use as a Login Window configuration.

     

    Capture d’écran 2013-08-20 à 19.34.45.png

     

    Basically, this means that the configuration will be used at the login window, e.g. when no one is connected, so this is basically a "system" configuration.

     

    (P.-S. it goes without saying that you need OS X Server with Profile Manager to do this...)

  • WHS ict Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 20, 2013 4:48 PM (in response to °Bernz°)

    hmm. my understanding was that a system profile and a login window profile were two entirely different things.

  • °Bernz° Level 1 Level 1 (10 points)
    Currently Being Moderated
    Aug 20, 2013 5:08 PM (in response to WHS ict)

    Well, more or less... I believe that in a previous version of OS X, they did make the distinction. And maybe for other configuration aspects, it does make a difference. But for 802.1X, the difference doesn't seem to be there.

     

    If you look at the profile manager documentation (http://help.apple.com/profilemanager/mac/2.2/#apdF985515F-9344-46EE-BAC5-D60ABBF 1C1D1), they are pretty clear thant both are pretty much the same:

     

    When you’re creating a profile for a user, the settings are for 802.1X user mode. When you’re creating a profile for a device, the settings are for system mode or login window mode.

     

    As you can read from this extract of Apple's documentation, for the device, system and login mode seem to be pretty much the same... at least in this situation.

  • Tunc Level 1 Level 1 (20 points)
    Currently Being Moderated
    Aug 20, 2013 5:15 PM (in response to °Bernz°)

    They are completely different things.

    To achieve the system mode just add or edit the following code blocks to the profile (by editing it either with XCode or vim):

    <key>PayloadScope</key>

      <string>System</string>

  • WHS ict Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 20, 2013 5:35 PM (in response to Tunc)

    yeah, they are behaving oddly. i'm wanting there to be a login window profile, to allow my network users to validate with the server on my radius secured wireless, but then they should disconnect from that wireless and join the guest network. I thought a login profile did that. instead i'm seeing the laptop conencted to the radius network before login (so i can ssh into the device), then the laptop remain connected to the login window profile netowork after login, which makes it more of a system profile.

     

    any one know how i can achieve what i'm after with Lion?

     

    Message was edited by: WHS ict

  • °Bernz° Level 1 Level 1 (10 points)
    Currently Being Moderated
    Aug 20, 2013 5:42 PM (in response to WHS ict)

    Hi WHS,

     

    Just like you, I needed to have a profile connected to my WPA2 Enterprise WiFi network at the login window. I created a .mobileconfig file with OS X Server with the option Use as a Login Window configuration checked, and it works as expected.

     

    I created a dummy account for the Login window, with no rights whatsoever on the network, but with the ability to log in using RADIUS. Then, once the user logs in, the user's credentials are used to authenticated through RADIUS.

     

    Don't know if that's what you need, but it worked for me under 10.8.

     

    Regards.

  • WHS ict Level 1 Level 1 (0 points)
    Currently Being Moderated
    Aug 20, 2013 6:18 PM (in response to °Bernz°)

    almost. i'm also using a machine account to allow the network user to be authenticated over a radius secured network.

     

    i then want that radius secured network to close, and a WPA network to be used instead (the user profile network). this allows me to limit access to the device to registered users only, and limit access to the internal network to authorised users only.

     

    i had thought a system profile works for login and user, a login profile for the login step only and a user profile for the user step only, it appears that i am wrong.

     

    is there any way to do what i want, or do i need to expose my LDAP server to the WPA (guest) network in order to get network users authenticated?

  • Peter-Erik Calculating status...
    Currently Being Moderated
    Aug 30, 2013 6:15 AM (in response to natevancouver)

    Try to make a 802.1x for an 10.7.5 system. After the user login it works but i want an system account any idea whats wrong with my xml file? or what iam missing?

     

    thanks

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

              <key>PayloadContent</key>

              <array>

                        <dict>

                                  <key>AutoJoin</key>

                                  <false/>

                                  <key>EAPClientConfiguration</key>

                                  <dict>

                                            <key>AcceptEAPTypes</key>

                                            <array>

                                                      <integer>13</integer>

                                            </array>

                                            <key>EAPFASTProvisionPAC</key>

                                            <false/>

                                            <key>EAPFASTProvisionPACAnonymously</key>

                                            <false/>

                                            <key>EAPFASTUsePAC</key>

                                            <false/>

                                            <key>PayloadCertificateAnchorUUID</key>

                                            <array>

                                                      <string>6F390D6B-80AB-4E3A-9222-BDA0FFF20F2A</string>

                                            </array>

                                            <key>TLSTrustedServerNames</key>

                                            <array/>

                                            <key>TTLSInnerAuthentication</key>

                                            <string>MSCHAPv2</string>

                                            <key>UserName</key>

                                            <string></string>

                                            <key>UserPassword</key>

                                            <string></string>

                                  </dict>

                                  <key>EncryptionType</key>

                                  <string>WPA</string>

                                  <key>HIDDEN_NETWORK</key>

                                  <true/>

                                  <key>PayloadDescription</key>

                                  <string>Configures wireless connectivity settings.</string>

                                  <key>PayloadDisplayName</key>

                                  <string>Wi-Fi (-)</string>

                                  <key>PayloadIdentifier</key>

                                  <string>local.test.profile.wifi1</string>

                                  <key>PayloadOrganization</key>

                                  <string></string>

                                  <key>PayloadType</key>

                                  <string>com.apple.wifi.managed</string>

                                  <key>PayloadUUID</key>

                                  <string>D732275D-9269-4C18-BC01-EED50FBCE0FA</string>

                                  <key>PayloadVersion</key>

                                  <integer>1</integer>

                                  <key>ProxyType</key>

                                  <string>None</string>

                                  <key>SSID_STR</key>

                                  <string>-</string>

                                  <key>SetupModes</key>

                                  <array>

                                            <string>System</string>

                                            <string>Loginwindow</string>

                                  </array>

                        </dict>

                        <dict>

                                  <key>PayloadCertificateFileName</key>

                                  <string>CA1</string>

                                  <key>PayloadContent</key>

                                  <data>

                                  MIIDbjCCAlagAwIBAgIQJiGU9rU4sKZJ5X7tpWQKGjANBgkqhkiG

                                  9w0BAQUFADA/MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJ

                                  kiaJk/IsZAEZFghjYnMtbmlvYjEMMAoGA1UEAxMDQ0ExMB4XDTEz

                                  MDgwMTA5MzQwNFoXDTIzMDgwMTA5NDQwMlowPzEVMBMGCgmSJomT

                                  8ixkARkWBWxvY2FsMRgwFgYKCZImiZPyLGQBGRYIY2JzLW5pb2Ix

                                  DDAKBgNVBAMTA0NBMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC

                                  AQoCggEBAJSTewHD3wvtOjTjY/NdAM1gIiWZESwCgB1EsTs8cXNQ

                                  VS33Fv+Wl3cEoZYS99ocETGwz9c02neQobV2bPhqe+IkU/jc9CW4

                                  OgfW9pdrAMlDCrDJ7shsenTKKmdfutPZ5VQfQgBTF/6acz4Cq2l0

                                  euIoSulMeQ/bBFxBn/MWmZ1m/Jinxi1iVbTHnuTvxEZI6Jj6E/OO

                                  sPUBgsvCencnqz+nSRzFlDNtosleVuFXFolBukzgnLpxkQI+a3Ab

                                  cMUW5HR4STqQAnyALv+q88d08eWQDzX3hf2ejgIw39g8YbCIZQpn

                                  SpVqNu/j5RH5kPqIMlT3rSaV9V/xixRQglMDGeECAwEAAaNmMGQw

                                  EwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud

                                  EwEB/wQFMAMBAf8wHQYDVR0OBBYEFAoH7bBxS9OkqWlNBttqQynr

                                  ROcjMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IB

                                  AQAgNY5njNUD8awe2si8QiDVQcdOp3/jT++ghBv+GkLpwsf6sb72

                                  qUKoWE3+DA6ZT7VYg6ZV6z7uIMA8eYAoz2tQLBLkzKXlJA5HaXML

                                  +loGad7ksA7si7rqZhxdcVRDnaRwZxUwB1ddWr2jsZgewId7doId

                                  5GjxeC1PZOCKCVpKXtLwFLXZNQjj+BVOiccXLCY/6BPFXtySNMac

                                  DEFMAVk9vmqTsISZJbpq4AMtrmWfBcq+cNKLq6kDbOPUUJK9TFpu

                                  PAD6BTWjKAcvkBJuDuqBS84lyp82b4QdRYdPP4AtT1jtYrpg0547

                                  OSBXxfh7b5Ou0QB3oq3Hlc/x69HpGrU1

                                  </data>

                                  <key>PayloadDescription</key>

                                  <string>Provides device authentication (certificate or identity).</string>

                                  <key>PayloadDisplayName</key>

                                  <string>CA1</string>

                                  <key>PayloadIdentifier</key>

                                  <string>local.test.profile.credential2</string>

                                  <key>PayloadOrganization</key>

                                  <string></string>

                                  <key>PayloadType</key>

                                  <string>com.apple.security.root</string>

                                  <key>PayloadUUID</key>

                                  <string>6F390D6B-80AB-4E3A-9222-BDA0FFF20F2A</string>

                                  <key>PayloadVersion</key>

                                  <integer>1</integer>

                        </dict>

              </array>

              <key>PayloadDescription</key>

              <string>Profile description.</string>

              <key>PayloadDisplayName</key>

              <string>Lion 802.1x</string>

              <key>PayloadIdentifier</key>

              <string>local.test.profile</string>

              <key>PayloadOrganization</key>

              <string></string>

              <key>PayloadRemovalDisallowed</key>

              <false/>

              <key>PayloadScope</key>

              <string>System</string>

              <key>PayloadType</key>

              <string>Configuration</string>

              <key>PayloadUUID</key>

              <string>D16F5411-533E-4038-8CE7-7CAADE871026</string>

              <key>PayloadVersion</key>

              <integer>1</integer>

    </dict>

    </plist>

1 2 3 4 5 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.