Yes I think I can create a Wireless profile using IPCU
but can anyone tell me how to get the Profile to be recognized by the MBP that I am using ?
I see things about Exporting via e-mail etc but all I want to do is to create a wireless profile to use on THIS Machine
the same facility that existed in Snow Leopard but has somehow been removed in LION ?
Nick, I received that error when when I signed the security profile during export. You need to make sure that you set security to "None" when you export. If you sign the profile you cannot make edits using a text editor because it breaks the signature (that's the whole reason why you would normally sign export files).
Here's some sample code that works for me.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<string>Configures wireless connectivity settings.</string>
<string>Test System 802.1X Profile</string>
This is actually a huge problem for corporate environments running 802.1x authentication. All Lion Mac users basically just became disenfranchised. I don't understand Apple's thinking on this at all. The requirement for Lion server is downright bogus.
My experience has been that the login screen is popped everytime you need to reconnect to the same wireless network but from a different access point. And the login screen takes forever to get popped up.
I appreciate the detailed command line instructions provided in this overall thread. But, even I who am pretty tech savvy dot not feel comfortable trying that approach.
I'm still not seeing how you would configure a login profile from within profile manager.
I've tried several times to "hack" the iphone generated file, but when we login to our bound lion boxes it still prompts for the 802.1x authentication. When I load the file it shows as a "device profile", should it say login profile if I'm doing it correctly?
All I need it to do is pass the login credentials into the 802.1x for the WiFi. Had no problems getting this setup on Snow Leopard, am I missing something obvious?
I think I have finally figured this out.
You can use the (Free) IPCU tool to create a wireless profile
insert the kind of auth you want eg: PEAP
and enter your username and password
Here is the methoid
Open the tool
add a NEW profile
give it a descriptive name ( you will see why in a moment)
give it a reverse DNS as it asks
now go to Wireless (Icon on left Nav panel)
select parameters eg: PEAP
enter username and password
note: you can use the "+" sign in upper right to add several different ssid profiles each with it's own credentials
Now there is no Save button but hit EXPORT
Leave Sign ? as none
and Export to your desktop or anywhere else you want
exit the tool
now find the thing ( the descriptive name )
and double click it
a box will pop up asking to confirm
it will then remove all profiles in LION Wifi and insert the one you just made
Now LION WiFI preferences looks like the old Snow Leopard with the profile ( named by ssid) that you just made
There does not seem to be any way to have SEVERAL profiles, however one profile can actually contain several different sets of ssid/authentication combinations
This has worked for me and enabled me to log into a "difficult" PEAP network
Please tell me if this works for you . I have a case going with Apple--they have failed utterly thus far but if this works I can then push on them to acknowledge and then perhaps document this whole thing
I was able to get this functioning properly under Lion. I used the Lion server Profile Manager to generate our config.
A few things that I didn't realize when I began this process:
- To setup a system or login profile using Profile Manager, you must enable "Device Management". This will require you to login with your Apple ID (and the email must be verified otherwise you'll get a generic error message)
- Once you create a new device configuration you'll see the option under WiFi to use Directory Authentication
- If your WiFi requires the user to accept a certificate, you need to include this in Profile Manager -- define it as a Certificate payload & then you can set it to be trusted under Wifi > Trust (I had to import the certificate from our primary DC)
Thanks for the help.
I created a Device profile, but after I download it then go to add it on the client machine, I get an error:
Profile installation failed.
The profile "....." could not be installed due to an unexpected error.
Is there any hope for getting Lion Server to generate system and/or loginwindow profiles that actually work?
Hey DrVenture (and eveyone else),
Thank you for your numerous insigths on this topics! If you (or someone else) could help me finalize my setup, I would greatly appreciate!
This is our environment: we're setup with WIRED 802.1x authentication (PEAP). All our users are configured in AD and the 802.1x authenticates to our RADIUS server. This means that users simply plugging into a network jack will not get you anywhere on our network. They need a correct certificate to at least join the network, then with the correct credentials, they are given the correct VLAN based on their rights.
In other words, this is how it works (at least on Windows workstations):
- Certificates are installed on the PCs;
- The PC is connected to a secure network jack;
- (this part I may not be 100% right on the technical stuff...)
- Our switch allows authentication based on the certificates,
- receives login/password from PC,
- authenticates on the RADIUS server;
- If successful, the user logs on and is given a correct VLAN.
Our Lion clients were joined correctly to the AD domain so we do know that this works well on "normal" wired connection (not 802.1x authenticated).
We have followed your instructions to setup a .mobileconfig file using Lion Server, changed the PayloadScope to System and installed it. However, we still cannot authenticate. Actually, Lion doesn't even seem to see the AD server... When we are at the Lion login window, the red dot is there besides the login name, telling me that there is not authentication server available. Is this normal, or should this disappear? (I'm not sure how Lion determines when an authentication server is not available under 802.1x since it can't actually see it... so this might be normal)
Just to give you an idea, we've set up the mobileconfig file on Lion Server by setting up the following sections:
Then, we changed the PayloadScope value.
What is missing for this to work as expected?
After days of searching and being without wireless in a PEAP authenticatione environment, I finally stumbled onto this thread and using IPCU, generated the profile...exported it and still got the 'cannot use this profile' message.
I went back to check and finally - I forgot to enter the information that was labelled 'mandatory' under the 'general' section. Now it works like a charm
Wow, why is it so much more complicated than Snow Leopard?
Thanks for solving this!
We are here having exactly the same issue as °Bernz° does.
The only difference, I'm generated mobileconfig profile with iPCU and modifying it after export to make it System profile. However, in Login window it still shows me a red dot saying Network accounts are not available. The profile itself looks like working, when I manually select it in Ethernet network properties and click on Connect button - authorization succeeds.
Can anybody give us assist on this?
Are your Lion clients running 10.7.2?
***Under "Device Config" in the Profile Manager app (for Lion Server)****
So "System Mode" is used when you want your client machines logged into the network all of the time. Meaning even when a user log's his machine off, the machine will stay authenticated to the 802.1X network.
"Login Window Mode" is used when you would like the client to use its Login Window credentials to authenticate to the 802.1X protected network and then process the same credentials to log the client into a network account (or mobile account, etc).
Just want to make sure that is clear before proceeding.
If all you want is to have to your user's prompted for a user name and password so they can get onto your protected 802.1X network, then there is two ways to accomplish this:
1. Ethernet Auto Connect feature in Lion...
Start with a Fresh Mac (with no profiles installed). Go to System Prefs, Network, Select the Eth interface, choose advanced, 802.1X tab and then make sure the Enable auto connection checkbox is checked. Hit Ok then apply.
Now plug the Mac into the 802.1X protected switch. When the switch sends an EAP IDENTIFY packet to the Mac, the Mac should prompt you for a username and password. Enter valid user credentials. You should get prompted to accept you RADIUS server's cert. From that point on you should get an IP in the correct VLAN (since you are using dynamic VLANs).
If the above does not work. Stop here. You need to debug why the Mac cannot authenticate. If you are using IAS or NPS as your RADIUS server, check your EVENT LOG on your windows server to see if the auth attempt ever made it to the RADIUS server and (if it did) why it was rejected).
Before I start writing another book on the subject, please try the above and let me know the results.
2. Profiles To be continued.