Previous 1 2 3 4 5 Next 68 Replies Latest reply: Aug 30, 2013 6:15 AM by Peter-Erik Go to original post
  • Steve-1029 Level 1 Level 1 (5 points)

    Yes I think I can create a Wireless profile using IPCU

    but can anyone tell me how to get the Profile to be recognized by the MBP that I am using ?

     

    I see things about Exporting via e-mail etc but all I want to do is to create a wireless profile to use on THIS Machine

    the same facility that existed in Snow Leopard but has somehow been removed in LION ?

  • christianhuening Level 1 Level 1 (0 points)

    Hey there,

    that works perfectly fine, thank you!

     

    Question:

    Is there no way to configure the login window mode from within the profile manager? I can just enter WiFi options, but noch whether it's going to be a System or Loginwindow profile.

     

    greetz

    chris

  • Nick Kalister1 Level 1 Level 1 (0 points)

    hey mennotech, when I try to modify my working user profile using your post's instructions, I end up with a profile that gives a "There was a problem opening this profile" error when trying to install it.

    Any ideas?  i'm using xcode to edit the file.

  • MennoTech Level 1 Level 1 (0 points)

    Nick, I received that error when when I signed the security profile during export. You need to make sure that you set security to "None" when you export. If you sign the profile you cannot make edits using a text editor because it breaks the signature (that's the whole reason why you would normally sign export files).

     

    Screen Shot 2011-08-25 at 10.35.25 PM.png

     

    Here's some sample code that works for me.

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

              <key>PayloadContent</key>

              <array>

                        <dict>

                                  <key>EAPClientConfiguration</key>

                                  <dict>

                                            <key>AcceptEAPTypes</key>

                                            <array>

                                                      <integer>25</integer>

                                            </array>

                                            <key>EAPFASTProvisionPAC</key>

                                            <false/>

                                            <key>EAPFASTProvisionPACAnonymously</key>

                                            <false/>

                                            <key>EAPFASTUsePAC</key>

                                            <false/>

                                            <key>TLSAllowTrustExceptions</key>

                                            <true/>

                                            <key>UserName</key>

                                            <string>XUSERNAME</string>

                                            <key>UserPassword</key>

                                            <string>XPASSWORD</string>

                                  </dict>

                                  <key>EncryptionType</key>

                                  <string>WPA</string>

                                  <key>HIDDEN_NETWORK</key>

                                  <false/>

                                  <key>PayloadDescription</key>

                                  <string>Configures wireless connectivity settings.</string>

                                  <key>PayloadDisplayName</key>

                                  <string>Wi-Fi (TESTSSID)</string>

                                  <key>PayloadIdentifier</key>

                                  <string>login.profile.test.</string>

                                  <key>PayloadOrganization</key>

                                  <string>Organization Name.</string>

                                  <key>PayloadType</key>

                                  <string>com.apple.wifi.managed</string>

                                  <key>PayloadUUID</key>

                                  <string>34C68614-D32F-4BB4-875C-4B7341E63278</string>

                                  <key>PayloadVersion</key>

                                  <integer>1</integer>

                                  <key>SSID_STR</key>

                                  <string>XTESTSSID</string>

                                  <key>SetupModes</key>

                                  <array>

                                            <string>System</string>

                                  </array>

                        </dict>

              </array>

              <key>PayloadDescription</key>

              <string>Profile description.</string>

              <key>PayloadDisplayName</key>

              <string>Test System 802.1X Profile</string>

              <key>PayloadIdentifier</key>

              <string>login.profile.test</string>

              <key>PayloadOrganization</key>

              <string>Organization Name.</string>

              <key>PayloadRemovalDisallowed</key>

              <false/>

              <key>PayloadScope</key>

              <string>System</string>

              <key>PayloadType</key>

              <string>Configuration</string>

              <key>PayloadUUID</key>

              <string>1AFDCE61-788E-44DD-A487-68C33D18324E</string>

              <key>PayloadVersion</key>

              <integer>1</integer>

    </dict>

    </plist>

  • slatrat Level 1 Level 1 (0 points)

    This is actually a huge problem for corporate environments running 802.1x authentication. All Lion Mac users basically just became disenfranchised. I don't understand Apple's thinking on this at all. The requirement for Lion server is downright bogus.

     

    My experience has been that the login screen is popped everytime you need to reconnect to the same wireless network but from a different access point. And the login screen takes forever to get popped up.

     

    I appreciate the detailed command line instructions provided in this overall thread. But, even I who am pretty tech savvy dot not feel comfortable trying that approach.

  • RallyBoulder Level 1 Level 1 (0 points)

    I'm still not seeing how you would configure a login profile from within profile manager.

    I've tried several times to "hack" the iphone generated file, but when we login to our bound lion boxes it still prompts for the 802.1x authentication. When I load the file it shows as a "device profile", should it say login profile if I'm doing it correctly?

     

    All I need it to do is pass the login credentials into the 802.1x for the WiFi. Had no problems getting this setup on Snow Leopard, am I missing something obvious?

  • Steve-1029 Level 1 Level 1 (5 points)

    Rally

     

    I think I have finally figured this out.

    You can use the (Free) IPCU tool to create a wireless profile

    insert the kind of auth you want eg: PEAP

    and enter your username and password

     

    Here is the methoid

    Open the tool

    add a NEW profile

    give it a descriptive name ( you will see why in a moment)

    give it a reverse DNS as it asks

    now go to Wireless  (Icon on left Nav panel)

    enter ssid

    select parameters eg: PEAP

    enter username and password

     

        note: you can use the "+" sign in upper right to add several different ssid profiles each with it's own credentials

     

    Now there is no Save button but hit EXPORT

    Leave Sign ? as none

    and Export to your desktop or anywhere else you want

     

    exit the tool

    now find the thing ( the descriptive name )

    and double click it

    a box will pop up asking to confirm

    it will then remove all profiles in LION Wifi and insert the one you just made

     

    Now LION WiFI preferences looks like the old Snow Leopard with the profile ( named by ssid) that you just made

     

    There does not seem to be any way to have SEVERAL profiles, however one profile can actually contain several different sets of ssid/authentication combinations

     

    This has worked for me and enabled me to log into a "difficult" PEAP network

     

    Please tell me if this works for you .    I have a case going with Apple--they have failed utterly thus far but if this works I can then push on them to acknowledge and then perhaps document this whole thing

     

    steve

  • RallyBoulder Level 1 Level 1 (0 points)

    I was able to get this functioning properly under Lion. I used the Lion server Profile Manager to generate our config.

     

    A few things that I didn't realize when I began this process:

     

    • To setup a system or login profile using Profile Manager, you must enable "Device Management". This will require you to login with your Apple ID (and the email must be verified otherwise you'll get a generic error message)
    • Once you create a new device configuration you'll see the option under WiFi to use Directory Authentication
    • If your WiFi requires the user to accept a certificate, you need to include this in Profile Manager -- define it as a Certificate payload & then you can set it to be trusted under Wifi > Trust (I had to import the certificate from our primary DC)

     

    Thanks for the help.

  • Yzord Level 1 Level 1 (0 points)

    I just created a profile with the IPCU and just run under Lion

  • biggenie Level 1 Level 1 (0 points)

    And this doesn't work if you are behind a proxy server because the App Store does not use the system proxy configuration.

  • Drew Saur Level 2 Level 2 (175 points)

    I created a Device profile, but after I download it then go to add it on the client machine, I get an error:

     

    Profile installation failed.

     

    The profile "....." could not be installed due to an unexpected error.

     

    Is there any hope for getting Lion Server to generate system and/or loginwindow profiles that actually work?

     

    Drew

  • °Bernz° Level 1 Level 1 (10 points)

    Hey DrVenture (and eveyone else),

     

    Thank you for your numerous insigths on this topics! If you (or someone else) could help me finalize my setup, I would greatly appreciate!

     

    This is our environment: we're setup with WIRED 802.1x authentication (PEAP). All our users are configured in AD and the 802.1x authenticates to our RADIUS server. This means that users simply plugging into a network jack will not get you anywhere on our network. They need a correct certificate to at least join the network, then with the correct credentials, they are given the correct VLAN based on their rights.

     

    In other words, this is how it works (at least on Windows workstations):

     

    • Certificates are installed on the PCs;
    • The PC is connected to a secure network jack;
    • (this part I may not be 100% right on the technical stuff...)
      • Our switch allows authentication based on the certificates,
      • receives login/password from PC,
      • authenticates on the RADIUS server;
    • If successful, the user logs on and is given a correct VLAN.

     

    Our Lion clients were joined correctly to the AD domain so we do know that this works well on "normal" wired connection (not 802.1x authenticated).

     

    We have followed your instructions to setup a .mobileconfig file using Lion Server, changed the PayloadScope to System and installed it. However, we still cannot authenticate. Actually, Lion doesn't even seem to see the AD server... When we are at the Lion login window, the red dot is there besides the login name, telling me that there is not authentication server available. Is this normal, or should this disappear? (I'm not sure how Lion determines when an authentication server is not available under 802.1x since it can't actually see it... so this might be normal)

     

    Just to give you an idea, we've set up the mobileconfig file on Lion Server by setting up the following sections:

     

    • General
    • Network
    • Certificates

     

    Then, we changed the PayloadScope value.

     

    What is missing for this to work as expected?

     

    Thanks!

  • Amabhubesi_user Level 1 Level 1 (0 points)

    Hi All,

     

    After days of searching and being without wireless in a PEAP authenticatione environment, I finally stumbled onto this thread and using IPCU, generated the profile...exported it and still got the 'cannot use this profile' message.

     

    I went back to check and finally - I forgot to enter the information that was labelled 'mandatory' under the 'general' section. Now it works like a charm

     

    Wow, why is it so much more complicated than Snow Leopard?

     

    Thanks for solving this!

  • vitaly_s Level 1 Level 1 (0 points)

    We are here having exactly the same issue as °Bernz° does.

    The only difference, I'm generated mobileconfig profile with iPCU and modifying it after export to make it System profile. However, in Login window it still shows me a red dot saying Network accounts are not available. The profile itself looks like working, when I manually select it in Ethernet network properties and click on Connect button - authorization succeeds.

     

    Can anybody give us assist on this?


  • DrVenture Level 2 Level 2 (180 points)

    Bernz,

     

    Are your Lion clients running 10.7.2?

     

    ***Under "Device Config" in the Profile Manager app (for Lion Server)****

     

    So "System Mode" is used when you want your client machines logged into the network all of the time. Meaning even when a user log's his machine off, the machine will stay authenticated to the 802.1X network.

     

    "Login Window Mode" is used when you would like the client to use its Login Window credentials to authenticate to the 802.1X protected network and then process the same credentials to log the client into a network account (or mobile account, etc).

     

    Just want to make sure that is clear before proceeding.

     

    If all you want is to have to your user's prompted for a user name and password so they can get onto your protected 802.1X network, then there is two ways to accomplish this:

     

    1. Ethernet Auto Connect feature in Lion...

    Start with a Fresh Mac (with no profiles installed). Go to System Prefs, Network, Select the Eth interface, choose  advanced, 802.1X tab and then make sure the Enable auto connection checkbox is checked. Hit Ok then apply.

     

    Now plug the Mac into the 802.1X protected switch. When the switch sends an EAP IDENTIFY packet to the Mac, the Mac should prompt you for a username and password. Enter valid user credentials. You should get prompted to accept you RADIUS server's cert. From that point on you should get an IP in the correct VLAN (since you are using dynamic VLANs).

     

    If the above does not work. Stop here. You need to debug why the Mac cannot authenticate. If you are using IAS or NPS as your RADIUS server, check your EVENT LOG on your windows server to see if the auth attempt ever made it to the RADIUS server and (if it did) why it was rejected).

     

    Before I start writing another book on the subject, please try the above and let me know the results.

     

    2. Profiles To be continued.