You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Internet sharing with 802.1X auth. on

Hi all,

has anyone ever succeeded to setup the following?
- I'd like to login to a private network using 802.1X authentication, then share this connection to my other Macbook nearby me using Airport.
I have set up internet sharing from eth0 to airport, and it goes well, but only until I login to the 802.1X network. At this moment, the internet sharing suddenly stops, and it doesn't help it starting again (stops again).

Is it designed this way, or did I run into a malfunction?

Thanks for any answers,
Peter

MacBook Pro, Mac OS X (10.4.6), Gets really hot on summer.

Posted on Jun 26, 2006 11:49 PM

Reply
16 replies

Jun 27, 2006 12:42 PM in response to BDAqua

BDAqua,

thanks for pointing me to that page (I didn't know about that), unfortunately all I could find there was about bridging a VPN which is different, cause it uses a new network interface, and all you can do is to build a NAT connection to this VPN.

In case of using 802.1X authentication like PEAP, the authentication process simply kills the natd I've set up. And that is the huge problem here.

If anyone could help (or say it's impossible to use), would be greatly appreciated.

Jul 10, 2006 2:03 PM in response to bpeter

I am having the exact same problem. Once I join a wireless network with 802.1x, Internet Connection Sharing will not work again until I disable the Airport and reboot.

This seems like a bug.

Anyhow, the problem is that I can't find an error anywhere. I've searched all the logs in /Library, ~/Library, and /var/log to no avail.

Does anyone know where I could look to begin troubleshooting this issue?



Macbook Pro 15" Mac OS X (10.4.7)

Jul 11, 2006 10:35 PM in response to Trevor Seward

Altough I was faced to this problem, I could accept these design rules (that's why I asked if it's like this by design).
But imagine if you're using some virtualization software and all you want is to share your host's connection with your guest:
There are cases in company security, when you're not able to use bridged networking, so you have no choice but share your eth0 to the virtual ethernet.
Of course 802.1X makes this impossible too... 😟

Jul 12, 2006 7:15 AM in response to Trevor Seward

🙂 You're absolutely right, if it is a bridged network sharing (two MAC addresses, same need for security, etc).

But in case of NAT, the virtual machine uses the host's IP, its connections, and - I think it should use - its authetication methods too, because you don't have your own addresses to authenticate with.

As I heard, the same issue is present in case of VPN connections too.

Jul 12, 2006 9:16 AM in response to bpeter

I'll agree that it's a good design, but it's very frustrating when you're trying to get Parallels working on an 802.x wireless network. Why should I register the MAC of a virtual machine and spoof a MAC address? Seems there should be an exception made in the case of virtual clients

Various Mac OS X (10.4.7)

Jul 12, 2006 10:28 AM in response to Gary_R

Well, I think everyone's missing the biggest point which is that the OS gives no indication of why it isn't working, it just silently fails. This sounds like a bug, not an intentional design consideration.

Furthermore, once it fails, I can't determine any way to restore ICS functionality without rebooting. (am I wrong here, or do others have the same issue?)

Finally, whether or not it is a good security practice to reshare an authenticated connection is completely moot since that is completely outside the scope of what 802.1x guarantees. It just says that the computer on the other end of the link can't pass any messages (other than AUTH messages) onto the network until they pass some authentication steps. It doesn't say what can occur beyond that.

Macbook Pro 15" Mac OS X (10.4.7)

Jul 12, 2006 3:07 PM in response to bpeter

So there is definately a bug because I can setup the nat by hand (with the following commands) and it seems to work just fine:

sudo /usr/sbin/sysctl -w net.inet.ip.forwarding=1
sudo /usr/sbin/natd -interface en1 -dynamic
sudo /sbin/ipfw add divert natd all from any to any via en1

Note: I don't think the ipfw divert is 100% correct, but it works as a proof of concept.

I've only been using this for a couple minutes, so it has by no means been thoroughly tested.

If it works for people here, I would be more than happy to write a prettier wrapper...

Macbook Pro 15" Mac OS X (10.4.7)

Jul 13, 2006 5:27 AM in response to cva

cva,

I'm trying your script, but doesn't know why it's not working.
Starting it from Console, it says:
net.inet.ip.forwarding: 1 -> 0
net.inet.ip.forwarding: 0 -> 1
starting natd on en0...
00100 divert 8668 ip from any to any via en0

so it looks ok, but couldn't reach anything from Parallels.
Do you have any idea what more to set up?

Jul 13, 2006 8:28 AM in response to bpeter

To be clear, I have setup both my Mac and the hosted OS in parallels to use static IP addresses on the Host-Only network. Therefore, I didn't setup a DHCP server or anything like that.

So, make sure that you have valid IP addresses for both OSX (on en2) and the hosted OS. Also, make sure the hosted OS is using the Mac's address as it's default gateway.

If you're still stuck, run natd with the -v argument which will keep it from becoming a daemon and show you what it is doing.

Here is how my mac is configured:

<pre>
ahehnb-cva:~ $ ifconfig en2
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::201:23ff:fe45:6789%en2 prefixlen 64 scopeid 0x8
inet 10.37.129.5 netmask 0xffffff00 broadcast 10.37.129.255
ether 00:01:23:45:67:89
media: autoselect status: active
supported media: autoselect
</pre>

And here is how XP (in parallels) is configured:

<pre>
Windows IP Configuration


Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.37.129.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.37.129.5

C:\Documents and Settings\cva>

Internet sharing with 802.1X auth. on

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.