How can I create an 802.11x system profile?

Hello, °Bernz°!

Can you, please, share with me your wired 802.1x configuration profile, generated by Lion Server? Thanks!

Hi vitaly_s,

Here is my edited mobileconfig file (I've removed personal information, but haven't touched the structure).

I've noticed that I did loose much time on the setup of my Active Directory objects. In fact, the way our RADIUS is set up, it checks both the computer and the user in AD and verifies if they are members of a VLAN group. If so, then after 802.1X authentication, they are assigned the computer's VLAN. (Your rules might be different though...). So, if you have similar rules, DON'T forget to assign these VLAN groups or else it won't work.

Since the big part of the configuration is the Network Payload part, I've attached the screenshot of my setup in Profile Manager.

Here goes the XML! Enjoy!

---

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>PayloadContent</key>

<array>

<dict>

<key>PayloadContent</key>

<data>[MY CERTIFICATE DATA]

</data>

<key>PayloadDisplayName</key>

<string>svr21.toto.com</string>

<key>PayloadEnabled</key>

<true/>

<key>PayloadIdentifier</key>

<string>com.apple.mdm.minimac0001.toto.com.bd38dfc0-e08d-012e-0b99.alacarte.cer tificate.926B165C-5A45-48CB-8DD6</string>

<key>PayloadType</key>

<string>com.apple.security.root</string>

<key>PayloadUUID</key>

<string>926B165C-5A45-48CB-8DD6</string>

<key>PayloadVersion</key>

<integer>1</integer>

</dict>

<dict>

<key>PayloadContent</key>

<data>[MY CERTIFICATE DATA]

</data>

<key>PayloadDisplayName</key>

<string>svr26.toto.com</string>

<key>PayloadEnabled</key>

<true/>

<key>PayloadIdentifier</key>

<string>com.apple.mdm.minimac0001.toto.com.bd38dfc0-e08d-012e-0b99.alacarte.cer tificate.4DE7CCB5-60DD-4B6A-93F3</string>

<key>PayloadType</key>

<string>com.apple.security.root</string>

<key>PayloadUUID</key>

<string>4DE7CCB5-60DD-4B6A-93F3</string>

<key>PayloadVersion</key>

<integer>1</integer>

</dict>

<dict>

<key>AuthenticationMethod</key>

<string>directory</string>

<key>AutoJoin</key>

<true/>

<key>EAPClientConfiguration</key>

<dict>

<key>AcceptEAPTypes</key>

<array>

<integer>25</integer>

</array>

<key>EAPFASTProvisionPAC</key>

<false/>

<key>EAPFASTProvisionPACAnonymously</key>

<false/>

<key>EAPFASTUsePAC</key>

<false/>

<key>OneTimeUserPassword</key>

<false/>

<key>OuterIdentity</key>

<string></string>

<key>PayloadCertificateAnchorUUID</key>

<array>

<string>926B165C-5A45-48CB-8DD6</string>

<string>4DE7CCB5-60DD-4B6A-93F3</string>

</array>

<key>SystemModeCredentialsSource</key>

<string>ActiveDirectory</string>

<key>TTLSInnerAuthentication</key>

<string>MSCHAPv2</string>

<key>UserName</key>

<string></string>

<key>UserPassword</key>

<string></string>

<key>tlsTrustedServerNames</key>

<array/>

</dict>

<key>EncryptionType</key>

<string>Any</string>

<key>HIDDEN_NETWORK</key>

<false/>

<key>Interface</key>

<string>FirstActiveEthernet</string>

<key>PayloadDisplayName</key>

<string>Wired 802.1X</string>

<key>PayloadEnabled</key>

<true/>

<key>PayloadIdentifier</key>

<string>com.apple.mdm.minimac0001.toto.com.bd38dfc0-e08d-012e-0b99.alacarte.int erfaces.184dbc20-e158-012e-0b9f</string>

<key>PayloadType</key>

<string>com.apple.firstactiveethernet.managed</string>

<key>PayloadUUID</key>

<string>184dbc20-e158-012e-0b9f</string>

<key>PayloadVersion</key>

<integer>1</integer>

<key>ProxyType</key>

<string>None</string>

<key>SetupModes</key>

<array>

<string>System</string>

<string>Loginwindow</string>

</array>

</dict>

</array>

<key>PayloadDisplayName</key>

<string>Settings for 802.1X</string>

<key>PayloadIdentifier</key>

<string>com.apple.mdm.minimac0001.toto.com.bd38dfc0-e08d-012e-0b99.alacarte</st ring>

<key>PayloadOrganization</key>

<string>802.1X Profile</string>

<key>PayloadRemovalDisallowed</key>

<false/>

<key>PayloadScope</key>

<string>System</string>

<key>PayloadType</key>

<string>Configuration</string>

<key>PayloadUUID</key>

<string>bd38dfc0-e08d-012e-0b99</string>

<key>PayloadVersion</key>

<integer>1</integer>

</dict>

</plist>

Hello, °Bernz°!

Thanks a lot for the profile! It's really big step forward for me. However, can you please explain what certificates are refrenced in the very beginning and what is the format of the Certificate Data fields?

Thanks in advance!

Vitaly_s,

The certificates are authority server certificates (.CER) files used by RADIUS to authenticate to our 802.1X environment. They are required in addition to a valid username/password.

The files are simply added in the "Certificate" section of Profile Manager, then, in the "Network" section (image above), under the Trust tab, I simply checked them to indicate that they were trusted for this connection.

Hope this helps!

how i activate the iphone 3gs

A.Qadeer.Pakistan

Dear °Bernz°,

one more quick question =)

did you set username & password right in the profile or left those fields empty?

Dear °Bernz°,

please, ignore my prev. post. I've just succeed to make things rolling. I've embedded our certificate and everything worked smoothly.

Thanks a lot once again! I was leaving with this issue since the July =)

Many thanks, MennoTech!

To add to what you wrote, I got the wireless to start up before login by using the System profile modifications to the unsigned .mobileconfig file (instead of Loginwindow) and tricking OS X Lion into thinking that localhost is a LDAPv3 server.

OS X Lion won't automatically connect to the wireless network before login until you add a fake LDAPv3 server to the local authentication system. An Apple article that I lost track of said that the automatic connection doesn't happen unless if a remote authentication service exists in the configuration.

To add a fake LDAPv3 server, go to System Preferences | Users & Groups | Login Options | Network Account Server -> Edit | Open Directory Utility | LDAPv3 | Pencil icon on bottom-left. Create a configuration named "dummy" with the server name set to localhost. Set LDAP Mappings to RFC2307. Press OK. In Search Policy | Authentication, click on + and add the dummy /LDAPv3/localhost server that you just added. Click Apply and then close the window. You should now see 'localhost' with a red dot next to it in the Users & Groups window. This is expected.

Reboot. Your computer should automatically connect to your wireless network, assuming that you created the .mobileconfig file properly, had modified it to use the System PayloadScope and System SetupMode, and imported it by double-clicking on the file in the Finder previously. In the login screen, the wireless icon on the top-right will be a darker shade of grey if it's set up to connect. If it's light-grey, then it might not have worked. To tell for sure, try pinging your Mac from another system. If you can ping it, then you're all set :-).

MennoTech wrote:

This is what worked for me:

To get a system to work with an IPCU mobileconfig, create a working “user” profile and add the following items:

Starting the line immediately below the SSID_STR key’s ‘<string>’ value, add this:

<key>SetupModes</key>

<array>

<string>System</string>

</array>

Change "System" to "Loginwindow" to create a Login Profile

Insert these lines immediately above the bottom-most PayloadType key line:

<key>PayloadScope</key>

<string>System</string>

I was able to get both a System profile and a Login Profile working. No Lion servers involved for me just the iPhone Configuration Utility.

Taken from: http://www.iphoting.com/blog/archives/817-Lion-Wireless-Access-in-SMU.html

I'm so new to all of this and I'm trying hard to follow along. Would it be possible to give out step by step instructions on how to do this? I'm just not sure where in IPCU to do all of this. I created a new Profile but I don't know which "section" to add the above information. Do I go into General, Wi-Fi, Credentials, etc.?

I'd love to be able to get my wireless Lion clients see our 802.1x network at the Login screen. I work at an elementary school and we use the "list of names" for the little kids. Of course, nothing shows up on my Login screen when the computer can't connect to the wireless network!

So sorry for my ignorance.

Never mind, I figured it out.

Thanks!

This is just what I was looking for … thanks heaps.

Can't believe this isn't built in to iPCU.

We are an all Windows hospital. We are using AD and I have the Mac setup and joined to the Domain so I can log into it when connected with a network cable. We have a couple of Macs that I have and I am trying to get them on the wireless on the log in screen. We dont have Lion Server so I am wondering if somebody with Lion Server could create a logonwindow profile for me. The wireless network is hidden and it is called pcmg201 if that helps.

Thanks,

Seth Tomlinson

im having a very similar problem

i have several mbps running 10.7.4

i also have a mac server running 10.7.4 there is also ad for user authentication

the wireless network in 802.11x i can join it with a profile i created on the server it is enabled for system and login window

but it wont work as a system setting

ie; at the login window i cant access the network

i have tried lots odf different variations , all give the same result

there isnt a certisicate for the site ?

**** All,

I'm trying to create a configuration file on ML Server with the Profile Manager.

My customer need TLS authentication, so far, the Mac client is integrated into the AD, we have the certficates (machine, root and 2 intermediates which are automatically copied from the AD to the client).

The issue is with the login window (no authentication until login) - so that's the reason why I'm trying to create the .mobileconfig file.

I've uploaded all 4 certificates into the Profile Manager, but there is no way to select one when activating TLS, the select list is greyed out.

Has anyone a hint for me, what's going on?

Thanks in advance and best regards,

Yasmin

i'm not finding the option to create a system mode login, only a login window one. where is that in lion server?