Help

802.1x Wired authentication issue only at first boot

bbot
Contributor

Posted on ‎08-23-2017 04:25 PM

We've deployed the identity preference com.apple.network.eap.user.identity.default to Macs. While this works in most scenarios, it does not work if the ethernet cable is plugged in and the machine is rebooted.

My assumption is that the authentication is trying to happen before the keychain is available to present the identity/certificate.

Is there a way to delay 802.1x authentication at first boot?

Or maybe create the identity preference com.apple.network.eap.user.identity.default into the System Keychain? (been having troubles figuring this out running as root and putting into a bash script)

0 Kudos
6 REPLIES 6

bbot
Contributor

Posted on ‎08-23-2017 10:33 PM

Or is there a way to deploy a separate 802.1x Ethernet configuration profile and pick an already existing AD certificate certificate. (we have one deployed for wifi and would like to use the same cert). Seems like the only way I can get it to choose "AD Certificate" is if I request the certificate at the same time.

d3468f1291334c399ca3cdfa168dba95

0 Kudos

a_stonham
Contributor II

Posted on ‎08-23-2017 11:20 PM

We use the following extension attribute called "Setup more than 30 minutes ago" and we exclude all macs that are set to no. From our Wifi config profile.

We then have an ongoing update inventory on all macs that are set to no.

#!/bin/bash
TESTFILE="/var/db/.AppleSetupDone"

if [ ! -f "$TESTFILE" ]; then
        echo "<result>No File Found</result>";
        exit 0;
fi

if test `find "$TESTFILE" -mmin +30`
then
    echo "<result>Yes</result>"
else
    echo "<result>No</result>"
fi

exit 0;
0 Kudos

bbot
Contributor

Posted on ‎08-23-2017 11:32 PM

@a.stonham Thanks for posting. Not quite following along here, but I don't see how that affects my current issue.

0 Kudos

Kaltsas
Contributor III

Posted on ‎08-24-2017 07:50 AM

The only way to make this work as a system mode profile is to have the certificate payload in the same profile as the network payload. If you look in the profile the way it works is the certificate payload UUID gets anchored in the network payload so the network payload knows what certificate to supply.

If you have already obtained a certificate via other means the only option will be for the end user to select the certificate for authentication once the user is logged in.

There are other issues that may or may not come into play. On 10.12 and earlier a network payload targeting ethernet only applies to the first ethernet interface used on the client, subsequent ethernet interfaces will not have the profile applied. In this scenario the behavior will be the same as described above, the user has to select the certificate for authentication. This is supposed to be resolved in 10.13 with a new globalethernet value but I have been unable to get it to work, am waiting on apple to get back to me on if I've configured the new value incorrectly.

0 Kudos

bbot
Contributor

Posted on ‎08-24-2017 09:39 AM

@Kaltsas Thank you for the info!

0 Kudos

bbot
Contributor

Posted on ‎08-24-2017 03:50 PM

After more testing, we found that the belkin usb c ethernet adapters (sold by apple) do not work. I also tried putting the config into the system level, and tried a launchdaemon to disable the adapter and re-start with no luck.

It does work with thunderbolt to ethernet adapter, connected to a thunderbolt to usb c adapter.

0 Kudos