How can I create an 802.11x system profile?

Hey there,

that works perfectly fine, thank you!

Question:

Is there no way to configure the login window mode from within the profile manager? I can just enter WiFi options, but noch whether it's going to be a System or Loginwindow profile.

greetz

chris

hey mennotech, when I try to modify my working user profile using your post's instructions, I end up with a profile that gives a "There was a problem opening this profile" error when trying to install it.

Any ideas? i'm using xcode to edit the file.

Nick, I received that error when when I signed the security profile during export. You need to make sure that you set security to "None" when you export. If you sign the profile you cannot make edits using a text editor because it breaks the signature (that's the whole reason why you would normally sign export files).

Here's some sample code that works for me.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>PayloadContent</key>

<array>

<dict>

<key>EAPClientConfiguration</key>

<dict>

<key>AcceptEAPTypes</key>

<array>

<integer>25</integer>

</array>

<key>EAPFASTProvisionPAC</key>

<false/>

<key>EAPFASTProvisionPACAnonymously</key>

<false/>

<key>EAPFASTUsePAC</key>

<false/>

<key>TLSAllowTrustExceptions</key>

<true/>

<key>UserName</key>

<string>XUSERNAME</string>

<key>UserPassword</key>

<string>XPASSWORD</string>

</dict>

<key>EncryptionType</key>

<string>WPA</string>

<key>HIDDEN_NETWORK</key>

<false/>

<key>PayloadDescription</key>

<string>Configures wireless connectivity settings.</string>

<key>PayloadDisplayName</key>

<string>Wi-Fi (TESTSSID)</string>

<key>PayloadIdentifier</key>

<string>login.profile.test.</string>

<key>PayloadOrganization</key>

<string>Organization Name.</string>

<key>PayloadType</key>

<string>com.apple.wifi.managed</string>

<key>PayloadUUID</key>

<string>34C68614-D32F-4BB4-875C-4B7341E63278</string>

<key>PayloadVersion</key>

<integer>1</integer>

<key>SSID_STR</key>

<string>XTESTSSID</string>

<key>SetupModes</key>

<array>

<string>System</string>

</array>

</dict>

</array>

<key>PayloadDescription</key>

<string>Profile description.</string>

<key>PayloadDisplayName</key>

<string>Test System 802.1X Profile</string>

<key>PayloadIdentifier</key>

<string>login.profile.test</string>

<key>PayloadOrganization</key>

<string>Organization Name.</string>

<key>PayloadRemovalDisallowed</key>

<false/>

<key>PayloadScope</key>

<string>System</string>

<key>PayloadType</key>

<string>Configuration</string>

<key>PayloadUUID</key>

<string>1AFDCE61-788E-44DD-A487-68C33D18324E</string>

<key>PayloadVersion</key>

<integer>1</integer>

</dict>

</plist>

This is actually a huge problem for corporate environments running 802.1x authentication. All Lion Mac users basically just became disenfranchised. I don't understand Apple's thinking on this at all. The requirement for Lion server is downright bogus.

My experience has been that the login screen is popped everytime you need to reconnect to the same wireless network but from a different access point. And the login screen takes forever to get popped up.

I appreciate the detailed command line instructions provided in this overall thread. But, even I who am pretty tech savvy dot not feel comfortable trying that approach.

I'm still not seeing how you would configure a login profile from within profile manager.

I've tried several times to "hack" the iphone generated file, but when we login to our bound lion boxes it still prompts for the 802.1x authentication. When I load the file it shows as a "device profile", should it say login profile if I'm doing it correctly?

All I need it to do is pass the login credentials into the 802.1x for the WiFi. Had no problems getting this setup on Snow Leopard, am I missing something obvious?

Rally

I think I have finally figured this out.

You can use the (Free) IPCU tool to create a wireless profile

insert the kind of auth you want eg: PEAP

and enter your username and password

Here is the methoid

Open the tool

add a NEW profile

give it a descriptive name ( you will see why in a moment)

give it a reverse DNS as it asks

now go to Wireless (Icon on left Nav panel)

enter ssid

select parameters eg: PEAP

enter username and password

note: you can use the "+" sign in upper right to add several different ssid profiles each with it's own credentials

Now there is no Save button but hit EXPORT

Leave Sign ? as none

and Export to your desktop or anywhere else you want

exit the tool

now find the thing ( the descriptive name )

and double click it

a box will pop up asking to confirm

it will then remove all profiles in LION Wifi and insert the one you just made

Now LION WiFI preferences looks like the old Snow Leopard with the profile ( named by ssid) that you just made

There does not seem to be any way to have SEVERAL profiles, however one profile can actually contain several different sets of ssid/authentication combinations

This has worked for me and enabled me to log into a "difficult" PEAP network

Please tell me if this works for you . I have a case going with Apple--they have failed utterly thus far but if this works I can then push on them to acknowledge and then perhaps document this whole thing

steve

I was able to get this functioning properly under Lion. I used the Lion server Profile Manager to generate our config.

A few things that I didn't realize when I began this process:

• To setup a system or login profile using Profile Manager, you must enable "Device Management". This will require you to login with your Apple ID (and the email must be verified otherwise you'll get a generic error message)
• Once you create a new device configuration you'll see the option under WiFi to use Directory Authentication
• If your WiFi requires the user to accept a certificate, you need to include this in Profile Manager -- define it as a Certificate payload & then you can set it to be trusted under Wifi > Trust (I had to import the certificate from our primary DC)

Thanks for the help.

I just created a profile with the IPCU and just run under Lion 😉

And this doesn't work if you are behind a proxy server because the App Store does not use the system proxy configuration.

I created a Device profile, but after I download it then go to add it on the client machine, I get an error:

Profile installation failed.

The profile "....." could not be installed due to an unexpected error.

Is there any hope for getting Lion Server to generate system and/or loginwindow profiles that actually work?

Drew

Hey DrVenture (and eveyone else),

Thank you for your numerous insigths on this topics! If you (or someone else) could help me finalize my setup, I would greatly appreciate!

This is our environment: we're setup with WIRED 802.1x authentication (PEAP). All our users are configured in AD and the 802.1x authenticates to our RADIUS server. This means that users simply plugging into a network jack will not get you anywhere on our network. They need a correct certificate to at least join the network, then with the correct credentials, they are given the correct VLAN based on their rights.

In other words, this is how it works (at least on Windows workstations):

• Certificates are installed on the PCs;
• The PC is connected to a secure network jack;
• (this part I may not be 100% right on the technical stuff...)
  • Our switch allows authentication based on the certificates,
  • receives login/password from PC,
  • authenticates on the RADIUS server;
• If successful, the user logs on and is given a correct VLAN.

Our Lion clients were joined correctly to the AD domain so we do know that this works well on "normal" wired connection (not 802.1x authenticated).

We have followed your instructions to setup a .mobileconfig file using Lion Server, changed the PayloadScope to System and installed it. However, we still cannot authenticate. Actually, Lion doesn't even seem to see the AD server... When we are at the Lion login window, the red dot is there besides the login name, telling me that there is not authentication server available. Is this normal, or should this disappear? (I'm not sure how Lion determines when an authentication server is not available under 802.1x since it can't actually see it... so this might be normal)

Just to give you an idea, we've set up the mobileconfig file on Lion Server by setting up the following sections:

• General
• Network
• Certificates

Then, we changed the PayloadScope value.

What is missing for this to work as expected?

Thanks!

Hi All,

After days of searching and being without wireless in a PEAP authenticatione environment, I finally stumbled onto this thread and using IPCU, generated the profile...exported it and still got the 'cannot use this profile' message.

I went back to check and finally - I forgot to enter the information that was labelled 'mandatory' under the 'general' section. Now it works like a charm 🙂

Wow, why is it so much more complicated than Snow Leopard?

Thanks for solving this!

We are here having exactly the same issue as °Bernz° does.

The only difference, I'm generated mobileconfig profile with iPCU and modifying it after export to make it System profile. However, in Login window it still shows me a red dot saying Network accounts are not available. The profile itself looks like working, when I manually select it in Ethernet network properties and click on Connect button - authorization succeeds.

Can anybody give us assist on this?

Bernz,

Are your Lion clients running 10.7.2?

***Under "Device Config" in the Profile Manager app (for Lion Server)****

So "System Mode" is used when you want your client machines logged into the network all of the time. Meaning even when a user log's his machine off, the machine will stay authenticated to the 802.1X network.

"Login Window Mode" is used when you would like the client to use its Login Window credentials to authenticate to the 802.1X protected network and then process the same credentials to log the client into a network account (or mobile account, etc).

Just want to make sure that is clear before proceeding.

If all you want is to have to your user's prompted for a user name and password so they can get onto your protected 802.1X network, then there is two ways to accomplish this:

1. Ethernet Auto Connect feature in Lion...

Start with a Fresh Mac (with no profiles installed). Go to System Prefs, Network, Select the Eth interface, choose advanced, 802.1X tab and then make sure the Enable auto connection checkbox is checked. Hit Ok then apply.

Now plug the Mac into the 802.1X protected switch. When the switch sends an EAP IDENTIFY packet to the Mac, the Mac should prompt you for a username and password. Enter valid user credentials. You should get prompted to accept you RADIUS server's cert. From that point on you should get an IP in the correct VLAN (since you are using dynamic VLANs).

If the above does not work. Stop here. You need to debug why the Mac cannot authenticate. If you are using IAS or NPS as your RADIUS server, check your EVENT LOG on your windows server to see if the auth attempt ever made it to the RADIUS server and (if it did) why it was rejected).

Before I start writing another book on the subject, please try the above and let me know the results.

2. Profiles To be continued.

DrVenture,

Thanks for your answer.

I did pretty much what you explained (except my Lion 10.7.2 install was not 100% clean). I did remove all profiles, and all certificates that might be polluting the Mac.

I then plugged in the network, it prompted me for a login/password, got a local certificate (which I saw was installed in the "login" zone of Keychain Access. In the IAS logs, I see that the user is granted access. So your point #1 above seems to be completed successfully.

Next I went back to the login window to get more IAS info... The strange thing is that, when I'm at the login window, IAS does not give me any logs of an attempt to log in, even when I send a valid username/password. It's like if the switch refuses it. Since it is not very good in logs, I have little to go on...

Questions (which you might answer in point #2):

• In your above scenario, we're not creating nor importing any mobileconfig files (yet...). Is this right?
• So, from your point of you, I should require a "Login window mode" to accomplish my task?
• Should I keep the RADIUS certificate in the "login" zone of Keychain Access or move it to the "system" folder? I guess "login" is the equivalent to "current user", so to make it shared, it should be in "system", but I might be wrong...

Many thanks.