How can I create an 802.11x system profile?

(To continue my thought above...)

If it can help, this is the configuration we're trying to replicate on the Mac. It works very well on Windows.

Comments inline.......

°Bernz° wrote:

DrVenture,

Thanks for your answer.

I did pretty much what you explained (except my Lion 10.7.2 install was not 100% clean). I did remove all profiles, and all certificates that might be polluting the Mac.

I then plugged in the network, it prompted me for a login/password, got a local certificate (which I saw was installed in the "login" zone of Keychain Access. In the IAS logs, I see that the user is granted access. So your point #1 above seems to be completed successfully.

(DrVenture) So, at this point your Mac is authenticated to the switch via the IAS server and your Mac has the correct IP Address for the dynamic VLAN?

Next I went back to the login window to get more IAS info... The strange thing is that, when I'm at the login window, IAS does not give me any logs of an attempt to log in, even when I send a valid username/password. It's like if the switch refuses it. Since it is not very good in logs, I have little to go on...

(DrVenture) IAS is poop compared to NPS (in 2008 Server) IMHO. NPS has a lot of nice features, so at some point I would highly consider upgrading to 2008 Server.

Questions (which you might answer in point #2):

In your above scenario, we're not creating nor importing any mobileconfig files (yet...). Is this right?

(DrVenture) Correct. You are just using the inbuilt "Default Configuration" in the Mac.

So, from your point of you, I should require a "Login window mode" to accomplish my task?

(DrVenture) I'm not sure because I am still a little fuzzy about what your ultimate goal is.

Should I keep the RADIUS certificate in the "login" zone of Keychain Access or move it to the "system" folder? I guess "login" is the equivalent to "current user", so to make it shared, it should be in "system", but I might be wrong...

(DrVenture) Don't manually move certs in the keychain...EVER. While this can work, ultimately it can break the ACL (access controler list) that links the Password file to the certificate.

(DrVenture) Just for your info, the login keychain contains items that are specific to a user. These items (passwords, certs, etc) are made available once a user logs in. The system keychain is for holding items that the system uses (reguardless of who is logged in).

(DrVenture) Here are a few questions that I need to know before I can help guide you further..........

1. When a user logs in, do you want them to just log in to their local machine, or are they suppose to be logging in and getting a remote desktop/directory,etc.

2. Do you want the machine to be authenticated and on the network all the time, or just when a user is logged in? There are cases where admins like to have the machines logged in all of the time so they can remotely manage them with a seperate admin account.

Many thanks.

Comments inline:

DrVenture wrote:

(DrVenture) So, at this point your Mac is authenticated to the switch via the IAS server and your Mac has the correct IP Address for the dynamic VLAN?

[BENZ] Yes.

(DrVenture) Here are a few questions that I need to know before I can help guide you further..........

1. When a user logs in, do you want them to just log in to their local machine, or are they suppose to be logging in and getting a remote desktop/directory,etc.

[BERNZ] What I want to achieve: When a user logs in, I want them to fall in the right VLAN, log into my Active Directory server and, from there, behave as a normal Mac connected to AD, e.g. if the user doen't exist on the Mac client, it's home director might be created (based on the policies), group folders are mapped, etc.

2. Do you want the machine to be authenticated and on the network all the time, or just when a user is logged in? There are cases where admins like to have the machines logged in all of the time so they can remotely manage them with a seperate admin account.

[BERNZ] No, I do not need the machine to be accessible when no user is loggued in.

Ok, now I have a clear picture of what you want (or at least I think I do). Forget system mode, that will just confuse things and you really do not want to use it. What you want is a login window profile. I will have to load my copy of Lion Server again so I can guide you through the correct way to make this profile. I will get back to you when I can post step by step.

In the meantime, if you want to try this yourself, do the following:

1. Start with a fresh Mac on 10.7.2

2. Connect the Mac into a unprotected switch port on the correct VLAN

3. Configure the Mac to join the AD server by either using the system prefs - Users and Groups pane or create a device profile group (create a device group, then just add your Mac into that device group) in profile manager and just use General and the directory payload for now. Which ever method you choose, confirm the Mac can reach the AD server (make sure you getting a green jelly next to the AD server name in System Prefs - Users and Groups - Loging Options - Network Account Server. Also while you are in that pane, make sure automatic login is off, Display login window as is set to name and password and Allow network users to log in at login window is checked.

3a. General payload -- just a bunch of labels

3b. Directory payload -- input your ad server name (e.g. spam.com or whatever) admin username and password (or any account that has access on AD to add machine accounts) and an AD name for the Mac.

If this step is failing, make sure your mac can ping the ad server by hostname. You MUST have hostname resolution working for AD to work.

4. Now go to Profile Manager again and create another Device group. For this group all you need is general, networking and certs.

(I am going off memory now because I do not have profile manager in front of me)

4a. General ---just a bunch of labels

4b. Certs --add in all of the certs in the chain you need. In my case, its just a root CA from my MS Cert Srv. If you are using intermeadiates and such, you must add in all the certs in the chain.

4c. Networking -- create a Wired network payload. Select Login WIndow and PEAP. DO NOT ENTER ANYTHING for the the credential fields.......THIS IS FOR SYSTEM MODE ONLY!!! LEAVE THEM BLANK. Tab over to the Trust settings and make sure you click on all of your certs that you imported in 4b. You MUST set trust to get login window to work. The trust basically sets up the ACL between the profile and the cert in the Mac.

After the profile is installed (via push or manual), you should be ready to go. Log off and try to log back in with a user that you know exists on your AD server.

DrVenture,

This is very precious information. Many thanks, I will try it tomorrow.

You talk alot about Devices. A few questions about that:

1. My Lion Server is not on my network (it is standalone), so how will I manage future computers with my device profile? E.g. they will not be added, and my profile needs to be compatible with any future Mac. How is this achieved? Is there are "default" device group?

2. On another Lion Server, I do NOT see the device section in Profile Manager. Is this because I'm not a Master OD?

I know you have loaded Lion server and have profile manager working. Meaning, you can get to the Profile Manager admin page.

Profile Manager has two types of profiles, Device profiles and User profiles.

Device profiles are meant to manage device settings. The ONLY way you can get a networking, 802.1X System or Login window mode profile is via a device profile.

User profiles are meant for user settings ONLY. The only networking, 802.1X mode available with these types of profiles are User Mode profiles.

If you do not see device profiles then you will have to get Device Profiles enabled for Profile Manager. If you look at Lion's new server utility (that list all of the services your Lion server is running), you will see some steps listed at the bottom. Go through each step and that will should get device profiles enabled for your Profile Manager.

Yes, you will need to promote your server to an OD Master, but its pretty much all automated in those steps. You will also need a cert from Apple to get APNS (Apple Push Notification Services) working. You can get one for free (just follow the instructions).

Once you get device profiles enabled. You can either use "push" to send profiles to clients or download the profile and manually install the profile onto each client.

If you choose to do the "push" method, there are a few "gotchas" with enrolling your Mac clients.

1. To get a client enrolled with Profile Manager (assuming device profiles have been activated) got the client portal site on a Mac. MAKE SURE YOU USE THE FQDN to get to the Profile Manager. If you try to short cut this and use an IP address in place of the FQDN of the Profile Manager, the cert request that is sent via SCEP (Simple Certificate Enrollment Protocol) will fail, because the request will not match the FQDN name in the cert!!!!! You will get prompted for a user name and password. In the setup of device management one of the steps tells you to create users. Just create a test user for now.

For example. I promoted my Lion Server to an OD Master and enabled Device Management. While doing so, I decide to call my Lion server pinkeye.ad.com (since you already have an AD server and most likely your DHCP will provide the AD server address as the DNS name server...Just remember to add the IP of the Profile Manager in your AD server's DNS scope for your domain so the client can ping pinkeye.ad.com. Hope that makes sense.

I open Safari on the client and for the URL I type:

https://pinkeye.ad.com/deviceprofiles --Since I am using the FQDN, this will work because this FQDN was also used to create my cert on my OD Master.

If I try to short cut it and use:

https://<<IP Address>>/deviceprofiles -- I will be able to get to the device portal web site, but when I try to grab the enrollment cert then enroll the device, the enrollment will fail because the SCEP transaction will send <<IP Address>> and try to match that up with the cert that is using pinkeye.ad.com.

(please note: I am not sure if this is the full path to the client portal. There is a link in the Profile Manager Service pane that will take you to the full URL for the device portal. Also remember Profile Manager has TWO websites, one for Profile Management (to add,detele and change profiles) and a device portal for devices to grab profiles via http download.)

2. Now that you are at the Device Portal on the target Mac, Do not click enroll device yet. Click on the second tab and download the enrollment certificate. That should download and install the needed cert to start enrollment.

3. Now go back to the other tab and click on enroll. This will download another profile and start the enrollment process. If everything goes honkey dory, you should have two profiles installed on your Mac and your Mac should show up in your Profile Manager under devices.

I am not sure if I will get a chance to load Profile Manager again until Monday.

If needed, I have a contact at Apple who might be willing to help you. Email me offline and I can provide his contact info, provided you do not give it out to anyone else.

DrVenture,

thanks a lot for such detailed and useful information. Unfortunately, our IT is totally Windows-based here and they are not very willing to adding a new MacOS Lion-based server just for generating some profiles. Do you think this is possible to generate such profiles on a Lion server not included in our network? Or maybe use any generic template of profile with editing it manually? My goal here is to be 802.1x authorized at Login screen to be able to login with AD account on our Mac workstations using wired ethernet connection.

Thanks in advance!

When I get my Profile Manager server back up and going (Monday), I will try to provide an xml template and explain what each tag does.

Lion Server is on $49.99. What I did is on my Laptop (MacBook Pro) I just made a tiny second partition and loaded Lion Server on it. When I need profiles and such (for Login or System Mode or SCEP, etc), I just boot into that partition, create the profile I want and save the profile off to a USB key. Then I go back to my Lion Client partition and load the profile. Easy peasy lemon squeesey.

Anyway, stay tuned....

Thanks a lot, will be looking for it.

However, spending a $50 for Server license for getting just a single configuration file doesn't look rational for me :/ I'm still confused, why Apple diceded to remove configuring 802.1x System/Login connections from the Lion...

Hi DrVenture,

I cannot see your email address, but I've made mine available through my profile. Your contact's email would be appreciated (I would only contact this person as a last resort, of course).

Regards.

Great news! Things are moving forward!

Just to recap, here are some of the steps required to make wired 802.1X authentication work with Active Directory. For those that have not read the entire thread, note that you need Lion Server to create the configuration file to configure a Lion client.

For the Lion Server:

• Install Lion Server, assign a fixed IP and make sure DNS are working correctly
• In Server -> Hardare -> 'your server' -> Network, make sure the hostname is correct
• In Server -> Hardare -> 'your server' -> Settings, turn on 'Enable Apple push notifications' (not sure if this is a requirement or not...)
• In Server -> Profile Manager, activate Profile Manager
• In Server -> Profile Manager, activate Device Management --> This will turn on Open Directory
• In the Profile Manager, click the "Open Profile Manager" link at the bottom and open the web interface
• In the web interface, under Device Groups, create a new profile (I called mine '802.1X')
• Edit this profile and add 3 settings:
• 1) General: name of profile
• 2) Certificate: add the certificate(s) required for 802.1X authentifcation
• 3) Network: select 'Ethernet' as Network Interface, check the box "Use as Login Window configuration" (Important one!!), check appropriate EAP types, and under Trust, check the certificates added in step 2
• Hit OK, Click 'Save...' (bottom-right of window), then click 'Download' next to your profile. This will give you a mobileconfig file to use on your clients.

For the Lion Client:

• Connect your Lion client to Active Directory through a wired (non-secure) port --> Make sure the is a green jelly at the login window
• Install the mobileconfig file created above
• Connect your Lion client on a secure port. You should have a dropdown menu on your login window with your profile displayed, and you should see a yellow jelly with the tag "Network access requires login."
• Then, you login with your Active Directory credentials, and presto, everything should work as expected! 🙂

Question:

Must there absolutely be a Lion Server on the network, or is the mobileconfig file standalone? (from my tests, a server IS required, but I would like to avoid this if possible since it would not currently be used for any other reasons)

Many thanks for your help!

The only time you HAVE to have a Lion server on the network (in reguards to profiles) is when you want to add/change/delete profiles using APNS.

I'm running into a strange problem now. My RADIUS supports PEAP MSCHAPv2 authentication. This works great when a user is already loggued in (Lion seems to support this protocol well), but even if I set up PEAP in Profile Manager, RADIUS error messages tell me that the Mac is trying to login using EAP (not PEAP), and therefore rejects it.

Any Idea how I can force PEAP MSCHAPv2 as the login protocol? Once again, Profile Manager seems to support it, but the RADIUS logs tell me otherwise.

Thanks for any help on this!

Ok, please ignore this last post. Some security settings were missing... My bad!