- Jamf Nation Community
- Products
- Jamf Pro
- 802.1X Wireless Login Window Authentication
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
802.1X Wireless Login Window Authentication
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-12-2012 08:43 PM
I've just had my first successful 802.1X wireless login window authentication on 10.7.x.
My .mobileconfig consisted of adding a certificate payload, and a network payload. The certificate is literally a drag and drop event. The network configuration for my wireless consisted of entering the SSID, WPA2 Enterprise, TTLS & PEAP protocols and selected MSCHAPv2 for inner authentication.
Turns out there are no utilities, other than manually editing your .mobileconfig file, that will get login window 802.1X authentication working.
After using Profile Manager to output a user profile I then added the following to the .mobileconfig;
Starting the line immediately below the SSID_STR key's "<string>" value add;
<key>PayloadScope</key>
<array>
<string>System</string>
</array>
And this line immediately above the bottom most PayloadType key;
<key>PayloadScope</key>
<string>System</string>
And for the login window profile;
<key>SetupModes</key>
<array>
<string>Loginwindow</string>
</array>
Hope this helps someone.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2012 06:02 AM
It turns out Profile Manager actually can create a Login Window Profile, but for some reason the server must first be promoted to an Open Directory Master before you will see this option.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2012 09:58 PM
In the example above we are not using Open Directory at all. Therefor the promotion to an OD master wasn't an option for us.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-13-2012 11:46 PM
Hi Tim,
If you start the profile manager service, it will start the OD service & make the server a master.
So you need both services if you're to use Profile Manager.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2014 04:44 AM
We are implementing 802.1x in out network but MAC system doesnt seem to work automatically.I have created the profiles using IPCU and made changes to mobile config to convert it into system profiles.Below is my profile configuration :-
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AutoJoin</key>
<true/>
<key>EAPClientConfiguration</key>
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>21</integer>
<integer>25</integer>
</array>
<key>EAPFASTProvisionPAC</key>
<false/>
<key>EAPFASTProvisionPACAnonymously</key>
<false/>
<key>EAPFASTUsePAC</key>
<false/>
<key>PayloadCertificateAnchorUUID</key>
<array>
<string>1CBE9C47-E5A5-4BAF-B09C-BFC107C4ADBF</string>
</array>
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
</dict>
<key>EncryptionType</key>
<string>WPA</string>
<key>HIDDEN_NETWORK</key>
<false/>
<key>PayloadDescription</key>
<string>Configures wireless connectivity settings.</string>
<key>PayloadDisplayName</key>
<string>Wi-Fi (Dot1x)</string>
<key>PayloadIdentifier</key>
<string>com.qma.profile.wifi</string>
<key>PayloadOrganization</key>
<string>qatar musuem authority</string>
<key>PayloadType</key>
<string>com.apple.wifi.managed</string>
<key>PayloadUUID</key>
<string>1A6C83F9-7990-414C-BA75-5F16975AECA1</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ProxyType</key>
<string>None</string>
<key>SetupModes</key>
<array>
<string>System</string>
</array>
<key>SSID_STR</key>
<string>Dot1x</string>
</dict>
<dict>
<key>PayloadCertificateFileName</key>
<string>juniperuac-pri.qma.com.qa.crt</string>
<key>PayloadContent</key>
<data>
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNhRENDQWRF
Q0NGS2Zyako2RVdMRU1BMEdDU3FHU0liM0RRRUJCUVVBTUhreEN6
QUpCZ05WQkFZVEFqOC8KTVFzd0NRWURWUVFJRXdJL1B6RUxNQWtH
QTFVRUJ4TUNQejh4RERBS0JnTlZCQW9UQTFGTlFURUxNQWtHQTFV
RQpDeE1DUHo4eElqQWdCZ05WQkFNVEdXcDFibWx3WlhKMVlXTXRj
SEpwTG5GdFlTNWpiMjB1Y1dFeEVUQVBCZ2txCmhraUc5dzBCQ1FF
V0FqOC9NQjRYRFRFME1EVXhNekV6TVRFMU5Wb1hEVEU1TVRFd016
RXpNVEUxTlZvd2VURUwKTUFrR0ExVUVCaE1DUHo4eEN6QUpCZ05W
QkFnVEFqOC9NUXN3Q1FZRFZRUUhFd0kvUHpFTU1Bb0dBMVVFQ2hN
RApVVTFCTVFzd0NRWURWUVFMRXdJL1B6RWlNQ0FHQTFVRUF4TVph
blZ1YVhCbGNuVmhZeTF3Y21rdWNXMWhMbU52CmJTNXhZVEVSTUE4
R0NTcUdTSWIzRFFFSkFSWUNQejh3Z1o4d0RRWUpLb1pJaHZjTkFR
RUJCUUFEZ1kwQU1JR0oKQW9HQkFNU3**9HSFRZTmZYVmtEYmlz
NWFTODYvVVNJNHNtR1pueUlhL0ZYbHVqUFZ2cVJQOU9hT3ZOUGZa
WApVQ0dYalZLcTZuM0FWZnlHYmVLTDA3eFlsbkJFR1BtM0F0MUps
S2VLNlN5Q1lvMXRJTk4wT2ltc0dTNS9PTmx5Ck9mWk9sSUVkMk9w
WGJ2NGdUeVlFVGNQYWxnekR2V2lrUzc0YkNtc1U1cnp6c2FPSEFn
TUJBQUV3RFFZSktvWkkKaHZjTkFRRUZCUUFEZ1lFQW5JcHVCUlJs
aE1Bek9jRG1KVmFPMlZPTi9nbnpmSG1wWXdiNk1VQ0dVT1o3QVpi
SgpCRmFONTJpSmV5V2tnVzl4blNrNkZJRHZjUWJURkVvalV4azRv
LzFjak9LeFFzNExUVWtleS9IZTg2VndLcTZTCmV2MnV4UE9yRVpH
ajBZMzMwOENQM2dIRy9XM3FTQW9nN2VBUHluNnhMUnhFQUl2Y1FF
K3BZSVV4NXRzPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
</data>
<key>PayloadDescription</key>
<string>Provides device authentication (certificate or identity).</string>
<key>PayloadDisplayName</key>
<string>juniperuac-pri.qma.com.qa</string>
<key>PayloadIdentifier</key>
<string>com.qma.profile.credential</string>
<key>PayloadOrganization</key>
<string>qatar musuem authority</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadUUID</key>
<string>1CBE9C47-E5A5-4BAF-B09C-BFC107C4ADBF</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Profile description.</string>
<key>PayloadDisplayName</key>
<string>QMA</string>
<key>PayloadIdentifier</key>
<string>com.qma.profile</string>
<key>PayloadOrganization</key>
<string>qatar musuem authority</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>BB69600C-540F-4C90-B04E-582E622D06FC</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
This is the configuration .I have read through the existing forums and have made the highlighted changes to user profile but still while logging in it show " NO NETWORK" and doesnt work as it used to work in 10.6.8 version.Please kindly help me out as soon as possible.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2014 04:46 AM
we are trying to login while the system is connected to ethernet.IPCU works for both wireless and wired right?thats what i have read.....it works completely fine in 10.6.6 where we can make the system profile in itself.or is there a way to export that profile to 10.8.5?please please help me out!!!!!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-10-2014 01:39 AM
@rhysforrester any insight on whats going wrong in my code??
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-10-2014 01:44 AM
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AuthenticationMethod</key>
<string>directory</string>
<key>AutoJoin</key>
<true/>
<key>EAPClientConfiguration</key>
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>21</integer>
<integer>25</integer>
</array>
<key>OneTimeUserPassword</key>
<false/>
<key>SystemModeCredentialsSource</key>
<string>ActiveDirectory</string>
<key>EAPFASTProvisionPAC</key>
<false/>
<key>EAPFASTProvisionPACAnonymously</key>
<false/>
<key>EAPFASTUsePAC</key>
<false/>
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
<key>UserName</key>
<string></string>
<key>UserPassword</key>
<string></string>
</dict>
<key>EncryptionType</key>
<string>Any</string>
<key>HIDDEN_NETWORK</key>
<false/>
<key>Interface</key>
<string>FirstActiveEthernet</string>
<key>PayloadDescription</key>
<string>Configures wireless connectivity settings.</string>
<key>PayloadDisplayName</key>
<string>Wi-Fi (test)</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.test.profile.wifi</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.firstactiveethernet.managed</string>
<key>PayloadUUID</key>
<string>4707BCF9-6233-4E0A-BB3E-2EF46E702CA9</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ProxyType</key>
<string>None</string>
<key>SetupModes</key>
<array>
<string>System</string>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string>Wired 802.1x Profile</string>
<key>PayloadDisplayName</key>
<string>Wired 802.1x</string>
<key>PayloadIdentifier</key>
<string>com.test.profile</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>7A34EB66-B956-43FC-B3C7-8CF7B87FF9CA</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
heres the latest code which I thought would work with machine authentication as this one I included system profile and the concerned interface too but it still doesn't authenticate while logging in.and no network during logging in.i don't understand whats wrong..Please help me out!!!its really important that I fix this !!!
