How can I create an 802.11x system profile?

Hi WHS,

It's a bit confusing in the Profile Manager interface, but the way I solved it is that in the Network payload, I check the box Use as a Login Window configuration.

Basically, this means that the configuration will be used at the login window, e.g. when no one is connected, so this is basically a "system" configuration.

(P.-S. it goes without saying that you need OS X Server with Profile Manager to do this...)

hmm. my understanding was that a system profile and a login window profile were two entirely different things.

Well, more or less... I believe that in a previous version of OS X, they did make the distinction. And maybe for other configuration aspects, it does make a difference. But for 802.1X, the difference doesn't seem to be there.

If you look at the profile manager documentation (http://help.apple.com/profilemanager/mac/2.2/#apdF985515F-9344-46EE-BAC5-D60ABBF 1C1D1), they are pretty clear thant both are pretty much the same:

When you’re creating a profile for a user, the settings are for 802.1X user mode. When you’re creating a profile for a device, the settings are for system mode or login window mode.

As you can read from this extract of Apple's documentation, for the device, system and login mode seem to be pretty much the same... at least in this situation.

They are completely different things.

To achieve the system mode just add or edit the following code blocks to the profile (by editing it either with XCode or vim):

<key>PayloadScope</key>

<string>System</string>

yeah, they are behaving oddly. i'm wanting there to be a login window profile, to allow my network users to validate with the server on my radius secured wireless, but then they should disconnect from that wireless and join the guest network. I thought a login profile did that. instead i'm seeing the laptop conencted to the radius network before login (so i can ssh into the device), then the laptop remain connected to the login window profile netowork after login, which makes it more of a system profile.

any one know how i can achieve what i'm after with Lion?

Message was edited by: WHS ict

Hi WHS,

Just like you, I needed to have a profile connected to my WPA2 Enterprise WiFi network at the login window. I created a .mobileconfig file with OS X Server with the option Use as a Login Window configuration checked, and it works as expected.

I created a dummy account for the Login window, with no rights whatsoever on the network, but with the ability to log in using RADIUS. Then, once the user logs in, the user's credentials are used to authenticated through RADIUS.

Don't know if that's what you need, but it worked for me under 10.8.

Regards.

almost. i'm also using a machine account to allow the network user to be authenticated over a radius secured network.

i then want that radius secured network to close, and a WPA network to be used instead (the user profile network). this allows me to limit access to the device to registered users only, and limit access to the internal network to authorised users only.

i had thought a system profile works for login and user, a login profile for the login step only and a user profile for the user step only, it appears that i am wrong.

is there any way to do what i want, or do i need to expose my LDAP server to the WPA (guest) network in order to get network users authenticated?

Try to make a 802.1x for an 10.7.5 system. After the user login it works but i want an system account any idea whats wrong with my xml file? or what iam missing?

thanks

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>PayloadContent</key>

<array>

<dict>

<key>AutoJoin</key>

<false/>

<key>EAPClientConfiguration</key>

<dict>

<key>AcceptEAPTypes</key>

<array>

<integer>13</integer>

</array>

<key>EAPFASTProvisionPAC</key>

<false/>

<key>EAPFASTProvisionPACAnonymously</key>

<false/>

<key>EAPFASTUsePAC</key>

<false/>

<key>PayloadCertificateAnchorUUID</key>

<array>

<string>6F390D6B-80AB-4E3A-9222-BDA0FFF20F2A</string>

</array>

<key>TLSTrustedServerNames</key>

<array/>

<key>TTLSInnerAuthentication</key>

<string>MSCHAPv2</string>

<key>UserName</key>

<string></string>

<key>UserPassword</key>

<string></string>

</dict>

<key>EncryptionType</key>

<string>WPA</string>

<key>HIDDEN_NETWORK</key>

<true/>

<key>PayloadDescription</key>

<string>Configures wireless connectivity settings.</string>

<key>PayloadDisplayName</key>

<string>Wi-Fi (-)</string>

<key>PayloadIdentifier</key>

<string>local.test.profile.wifi1</string>

<key>PayloadOrganization</key>

<string></string>

<key>PayloadType</key>

<string>com.apple.wifi.managed</string>

<key>PayloadUUID</key>

<string>D732275D-9269-4C18-BC01-EED50FBCE0FA</string>

<key>PayloadVersion</key>

<integer>1</integer>

<key>ProxyType</key>

<string>None</string>

<key>SSID_STR</key>

<string>-</string>

<key>SetupModes</key>

<array>

<string>System</string>

<string>Loginwindow</string>

</array>

</dict>

<dict>

<key>PayloadCertificateFileName</key>

<string>CA1</string>

<key>PayloadContent</key>

<data>

MIIDbjCCAlagAwIBAgIQJiGU9rU4sKZJ5X7tpWQKGjANBgkqhkiG

9w0BAQUFADA/MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJ

kiaJk/IsZAEZFghjYnMtbmlvYjEMMAoGA1UEAxMDQ0ExMB4XDTEz

MDgwMTA5MzQwNFoXDTIzMDgwMTA5NDQwMlowPzEVMBMGCgmSJomT

8ixkARkWBWxvY2FsMRgwFgYKCZImiZPyLGQBGRYIY2JzLW5pb2Ix

DDAKBgNVBAMTA0NBMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC

AQoCggEBAJSTewHD3wvtOjTjY/NdAM1gIiWZESwCgB1EsTs8cXNQ

VS33Fv+Wl3cEoZYS99ocETGwz9c02neQobV2bPhqe+IkU/jc9CW4

OgfW9pdrAMlDCrDJ7shsenTKKmdfutPZ5VQfQgBTF/6acz4Cq2l0

euIoSulMeQ/bBFxBn/MWmZ1m/Jinxi1iVbTHnuTvxEZI6Jj6E/OO

sPUBgsvCencnqz+nSRzFlDNtosleVuFXFolBukzgnLpxkQI+a3Ab

cMUW5HR4STqQAnyALv+q88d08eWQDzX3hf2ejgIw39g8YbCIZQpn

SpVqNu/j5RH5kPqIMlT3rSaV9V/xixRQglMDGeECAwEAAaNmMGQw

EwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1Ud

EwEB/wQFMAMBAf8wHQYDVR0OBBYEFAoH7bBxS9OkqWlNBttqQynr

ROcjMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IB

AQAgNY5njNUD8awe2si8QiDVQcdOp3/jT++ghBv+GkLpwsf6sb72

qUKoWE3+DA6ZT7VYg6ZV6z7uIMA8eYAoz2tQLBLkzKXlJA5HaXML

+loGad7ksA7si7rqZhxdcVRDnaRwZxUwB1ddWr2jsZgewId7doId

5GjxeC1PZOCKCVpKXtLwFLXZNQjj+BVOiccXLCY/6BPFXtySNMac

DEFMAVk9vmqTsISZJbpq4AMtrmWfBcq+cNKLq6kDbOPUUJK9TFpu

PAD6BTWjKAcvkBJuDuqBS84lyp82b4QdRYdPP4AtT1jtYrpg0547

OSBXxfh7b5Ou0QB3oq3Hlc/x69HpGrU1

</data>

<key>PayloadDescription</key>

<string>Provides device authentication (certificate or identity).</string>

<key>PayloadDisplayName</key>

<string>CA1</string>

<key>PayloadIdentifier</key>

<string>local.test.profile.credential2</string>

<key>PayloadOrganization</key>

<string></string>

<key>PayloadType</key>

<string>com.apple.security.root</string>

<key>PayloadUUID</key>

<string>6F390D6B-80AB-4E3A-9222-BDA0FFF20F2A</string>

<key>PayloadVersion</key>

<integer>1</integer>

</dict>

</array>

<key>PayloadDescription</key>

<string>Profile description.</string>

<key>PayloadDisplayName</key>

<string>Lion 802.1x</string>

<key>PayloadIdentifier</key>

<string>local.test.profile</string>

<key>PayloadOrganization</key>

<string></string>

<key>PayloadRemovalDisallowed</key>

<false/>

<key>PayloadScope</key>

<string>System</string>

<key>PayloadType</key>

<string>Configuration</string>

<key>PayloadUUID</key>

<string>D16F5411-533E-4038-8CE7-7CAADE871026</string>

<key>PayloadVersion</key>

<integer>1</integer>

</dict>

</plist>

This worked for me thanks.

I was having issues changing the System to Loginwindow. I left it at System and used terminal to install the profile using the sudo profiles -I -F and dragging the profile into the terminal window. This loaded it as a Device profile. This now connects to our wireless at the login window. Thank you for your help.

w