802.1x add profile ?
802.1x no(+) add profile button ??? help
MacBook Air, Mac OS X (10.7)
DrVenture,
You are ******** awesome!!
Thank you so much 🙂
Question marked as
Best reply
User profile for user:
Community User
From Apple Help
You can connect to a Wi-Fi or Ethernet network that is protected by the Institute of Electrical and Electronics Engineers (IEEE) 802.1X standard. The 802.1X standard is designed to enhance the security of local area networks.
In most cases your network administrator provides a configuration profile that contains the information and settings you need to authenticate with the network.
When you download the profile from the web or open the attachment using Mail, the computer recognizes the .mobileconfig extension as a configuration profile and begins installing when you click Install.
During installation, you may be asked to enter any necessary information, such as passwords that weren’t specified in the profile, and other information as required. Enter any password necessary to use certificates included in the profile.
- Choose Apple menu > System Preferences, and then click Network.
- Select the network service you want to use, such as Ethernet or Wi-Fi, from the list.
- Click Connect. If you have installed multiple profiles, choose the one you want to use from the 802.1X pop-up menu, and then click Connect.
If you are connecting to an Ethernet network that uses 802.1X and want to connect automatically to the network when it’s detected, click Advanced, and then click 802.1X. Select “Enable automatic connection.”
Ask your network administrator or service provider if you need more information.
42 replies
Maybe this is a good place to ask this.
We are trying to allow Macs on our guest network. for our production network we use all Microsoft servers and Microsoft clients, we are using 802.1x computer or user authentication. When a machine fails authenication it is SUPPOSED to be pushed over to our guest VLAN. This is not happening with our test machines (Mac OS Lion 10.7.3) when they are plugged into an authenticated port, they prompt for credentials. entering credentials will put the machine on our production network. We can't get the Macs to roll over to guest. any idea what we should do?
So let me try to understand. You have a Windows environment with switches that will place a client in a particular VLAN based on if the client can provide valid 802.1x credentials. If the client fails auth or does not provide credentials, the client will be placed in a guest VLAN.
In Lion, go to System Preferences - Network and select the Ethernet interface for the Mac. Then hit advanced and click on the 802.1X tab. uncheck the Enable Automatic Connection box. Unchecking this box should prevent the Mac from responding to the switch's EAP requests (unless an 802.1X profile exists in the client).
Give this a try.
Yes, that's exactly the issue. Disabling 802.1x on the macbook's network adapter results in no connection at all. The adapter receives a 169 IP.
Remember that if you use the "default" 802.1x profile in Lion for Ethernet (that checkbox), those credentials will get cached in the keychain. Hence, if you plug a Mac in to an 802.1x protected port, with that box checked, and supply credentials, those credentials will be used each time the Mac is plugged in.
To get around this, you will have to create an 802.1x user profile using profile manager from Lion server, or you can just download the iPCU here:
http://support.apple.com/kb/DL1465
I assume you are going to use the iPCU.
1. Install the iPCU
2. Go to configuration profiles and select new profile
2a. You can pre add the cert and trust it in the WiFi payload, but that is up to you. I would skip this for now.
3. Click WiFi (yes I know you need Ethernet, but Lion will be able to use a WiFi profile for the Ethernet interface as well.
4. For SSID, just put some lable in there
5. Uncheck Auto Join
6. Cor security type choose any Enterprise
7. Check the appropriate EAP type for your network (PEAP, TTLS whatever)
8. Now this is very important, click on the Authentication tab and CHECK the box saying Use Per-Connection Password
This will tell Lion to NOT cache the user credentials and force the user to enter crendtials each time they plug into the network
9. go the General payload (in the middle) and fill out a Name, identifier etc (just labels)
10. Now hit export at the top.
11. Do not sign the config file, unless you have a valid cert to sign it with. I would just choose none.
12. Grab the .mobileconfig that is exported and place it on a target Mac. Double click the mobileconfig file to start the installation. The profile will ask for a username and password. LEAVE THEM BLANK. Again, you do not want credentials cached.
13. Click install.
14. After the profile installs, click "show all" in the system prefs menu, select network and choose your ethernet adapter. Go to advanced and 802.1X and UNCHECK the Enable auto connection. You should see the profile you installed listed in this pane.
15. Hit OK and then Apply.
16. Connect your Mac into the 802.1X protected network and hit the connect button in the System Prefs - network menu (selecting your Ethernet adapater, of course).
You should be rockin at this point.
Just wanted to stop by and thank DrVenture - your instructions worked for me. Thanks!
Thanks DrVenture. You saved me a lot of headache! 🙂
@lazyb0y
You should wait until the dhcp server give you a valid IP address. Unless that guest network is not DHCP capable. Contact sys admin
Hope anyone can help eventhough it is and old post :-) i have a serer 2008 radius server running, but iam having trouble connecting the wifi using osx 10.8.4, i have followed #DrVenture guide with no luck, its like it cant get and ip from the server, just says connecting and then tries but fails? anyone have a clue?
Does anyone happen to know if MAC OS does machine authentication? It seems the machines I am trying to get working only respond to EAPoL requests after the user has been logged in. THe cert used (EAP-TLS) is in the system keychain but i cannot seem to find the configuration for machine access, not user. Can someone help shed some light here on this ?
thanks
@DrVenture
The internal Wi-Fi card on my Macbook is not working, so for the moment I am using a Sitecom Wireless USB card.
I now need to install my University's Network Profile (i have the .mobileconfig file).
How do I install the profile file on a card other than the internal Wi-Fi, specifically this USB card?
When I go to it's advanced properties it does show me an 802.1x tab but there is no button to add the profile.
THX in advance
"If your school uses TTLS with PAP (LDAP backend) then yah, the auto connection with ethernet will not help you. That is because the default EAP type that is supported is TTLS MSCHAPv2 (which is a bit more secure that PAP --ya ya, I know it is not fool proof).
"
Thank you DrVenture. I'm grateful. Your instructions worked perfectly.
However I would disagree with your statement about security with MSCHAPv2. It is slightly more secure only during exchange of information. MSCHAP introduces major headaches for admins like storing passwords in clear in databases which is a big no-no. If the DB gets compromised - the organisation is screwed. Most admins store one way hash of passwords in the DB. This does not work with CHAP as it requires the server app to know the decrypted password.
TTLS outer layer protects the password (PAP) in inner layer by providing an encrypted tunnel. For example: HTTPS. We all use internet and submit passwords using SSL/TLS. This is no different to using TTLS/PAP (of course the underlying arch is completely different) but in principle.
Anyway - just thought I would add a comment. Thanks again for your instructions.
802.1x add profile ?