Tuesday, February 7, 2012

Mac OS X Lion Creating Wi-Fi 802.1X Profiles

Mac OS X 10.7 (Lion) does not allow manual creation or configuration of 802.1X profiles for secure authentication on Wi-Fi and Ethernet networks for typical users. In order to access an 802.1X network in Lion, users are prompted to enter credentials when joining an active network that is in range, at which time it automatically detects the authentication settings that should be used.

The 802.1X tab in the System Preferences > Network > Advanced section no longer allows manual 802.1X profile creation.

Mac OS X 10.7 (Lion) 802.1X Profile Restriction

Lion forces the use of a configuration profile which must be created from Lion Server or using the iPhone Configuration Utility (iPCU). The config file is nothing more than an XML file containing the settings and usually has a .mobileconfig extension. Since Apple has decides to stop selling the Xserver line a year ago, most administrators will rely on the iPCU.

This restriction can be problematic for engineers wishing to test various client configuration scenarios without a live network. Many enterprise environments support multiple EAP types on their authentication servers in order to support various client deployment scenarios. Therefore, an engineer may wish to switch between profiles on the fly to test multiple authentication types. Additionally, user-created 802.1X profiles only work under their own user context, and do not work for pre-login or system level network connections which are of great benefit in enterprise environments for remote management and control when users are away from their desks (e.g. overnight). Finally, it should be noted that the "auto-detection" capability during network join may not work accurately for EAP-TTLS since it assumes use of MSCHAPv2 inner authentication.

To create an 802.1X profile for Lion, download and install the iPCU:

Install the iPhone Configuration Utility

Once installed, launch it from the Applications/Utilities folder in Finder. Start by selecting Configuration Profiles on the left side, then click New.

Create A New Configuration Profile in the iPhone Configuration Utility

Give the profile a name, unique identifier, organization name, and description. Then move on to the Wi-Fi section. Configure the basics like SSID and Security Type, then select one or multiple EAP types supported on the WLAN in the Protocols tab.


Switch to the Authentication tab to configure the credentials that will be used. Most enterprise admins will want to leave the username blank and select "Use Per-Connection Password" when deploying configuration profiles to their users to prompt each user to enter their own unique password instead of hardcoding a username and password. If using EAP-TLS an identity certificate may be selected. Finally, if you are concerned about username exposure with tunneled authentication protocols, provide an anonymous outer identity value so hackers cannot compile a list of valid usernames on your network.

iPhone Configuration Utility Wi-Fi Authentication Parameters

Last, configure the trusted certificates and server certificate names in the trust tab. This allows administrators to define which authentication servers or naming conventions are allowed to authenticate users. This also prevents users from being prompted to trust servers at the time of authentication.

When the Wi-Fi payload and configuration profile is completely finished, select either Share or Export. Share allows you to send the profile via email, whereas Export allows you to export the file to your local filesystem for distribution at a later time.

Note - See this Apple help document for further instructions on using the iPCU.

To install the configuration profile, locate the file (.mobileconfig extension) and double-click it.

Install the iPCU Configuration Profile

You will be prompted to fill-in any per-user authentication fields left blank by the administrator. The profiles can be viewed later in the System Preferences > Profiles section. This is also where you can delete previously installed profiles. The associated 802.1X profile is also visible in System Preferences > Network > Advanced > 802.1X.

802.1X Profile Successfully Installed

This method is not as easy for on-the-fly testing, but should allow administrators to accomplish all necessary tasks.

Cheers,
Andrew

24 comments:

  1. HI Andrew
    If you need to add a Login Window Profile you can edit the .mobileconfig file and add the following:

    SetupModes
    LoginWindow

    Below the Do this straight after the
    SSID_STR
    MySSID

    And

    PayloadScopeLoginWindow

    Above the lowest PayloadScope field

    @d4mo1337

    ReplyDelete
  2. Thanks Damien.

    For readers, here is the link to more detail on creating a LoginWindow Profile.

    Andrew

    ReplyDelete
  3. One other note for readers. If you want to create either LoginWindow mode or System mode profiles, you must create them with Profile Manager from Lion Server. Alternatively, you can manually hack an iPCU .mobileconfig file.

    To create a System mode profile instead of the User mode profile, do the following:

    1. Create a User mode profile using the iPCU as described in this article.

    2. Manually edit the .mobileconfig file and add the following items:

    Starting the line immediately below the SSID_STR key’s ‘<string>’ value, add this:
    <key>SetupModes</key> <array> <string>System</string> </array>

    Then, insert these lines immediately above the bottom-most PayloadType key line:
    <key>PayloadScope</key> <string>System</string>

    Cheers,
    Andrew

    ReplyDelete
    Replies
    1. Hey folks,
      Quick update: to hack the .mobileconfig file manually to create a LoginWindow mode profile is nearly identical to the instructions for a System mode profile except you change the the first instance of "System" to "LoginWindow" (but don't change the second instance).

      For reference here is the complete modification for a LoginWindow profile:

      Starting the line immediately below the SSID_STR key’s <string> value, add this:

      <key>SetupModes</key>
      <array>
      <string>LoginWindow</string>
      </array>

      Insert these lines immediately above the bottom-most PayloadType key line:

      <key>PayloadScope</key>
      <string>System</string>

      And to re-iterate, you can't sign the .mobileconfig profile since you will invalidate the digital signature once you hack the file and clients can't verify it and thus will not install it.

      To accomplish this in an easier fashion, use an OS X Server with Profile Manager to create a Device profile, embed the Wi-Fi payload and credentials to create a System mode profile, and optionally check the box for LoginWindow profile to make it a dual System plus LoginWindow profile.

      Cheers,
      Andrew

      Delete
  4. I have a problem that my profiles install and I can see them under the profiles window in system preferences. But they don't show under 802.1X on the Advanced items for the network. I have 2 profiles. One for home that does not use a proxy server, and one for work that does. So I'm trying to get my MacBook Pro to connect to the work network and set the proxy when I'm at work, and remove the proxy stuff when it connects to my home network. Like my iphone does.

    ReplyDelete
  5. Hi,
    Can you verify that the profiles that you installed include 802.1X/EAP settings for the Wi-Fi network? If they do not, then they will not show up under the Network > Wi-Fi > Advanced > 802.1X section.

    If it is not an 802.1X/EAP network, but you have defined a proxy, then try connecting to the network and see what shows up under the Network > Wi-Fi > Advanced > Proxies tab.

    Andrew

    ReplyDelete
  6. Profile created. Cool. But when I reboot it stills does not find it prior to login. No networks connections... On the top right I can tell that there is no connections. Any clues?

    ReplyDelete
  7. Correct, I noted this limitation in my article:

    "Additionally, user-created 802.1X profiles only work under their own user context, and do not work for pre-login or system level network connections which are of great benefit in enterprise environments..."

    To create system level profiles that can activate prior to user login with Mac OS X Lion, you need to create them from Profile Manager within Lion Server or manually hack an IPCU .mobileconfig file (as detailed in a previous comment).

    Andrew

    ReplyDelete
  8. I created the mobileconfig file, and it works on its own, but when I edit the file (through text edit), it no longer works, saying that there was an error. Remove the added code, and it works again. Any ideas? We're running a Windows AD server and bind to it just for authentication, so we're not running a Lion server to load up profile manager.

    Thanks for the great info!

    ReplyDelete
  9. You're likely exporting the mobileconfig file with a digital signature, which makes editing the file after export impossible without invalidating the signature (signed hash using a public key from a certificate).

    When exporting it, try setting the security to "None" instead of "Sign configuration profile."

    Cheers,
    Andrew

    ReplyDelete
  10. I have altered the xml file as stated above and am not able to gain access thru the login window...no yellow jelly dot. I created the config file using IPCU configuring the general and wifi payloads only. Username and password left blank, exported with no signatures, altered in Text Edit. Saved and installed on a machine that was already connected to the network via Ethernet. Authentication went fine until restart after which I could not connect and strangely did not see the red dot. Logged in as admin, and was connected immediately. Frustrating!

    My setting is an all mac school, about 400 snow leopard,50, Lion. Running on SN servers using aruba wireless system. SL computers connect via Login Window profile created in 802.1X tab in Network system preference.

    Thanks in advance

    ReplyDelete
    Replies
    1. Manually hacking the IPCU .mobileconfig profile is not ideal and leaves room for error. Also, newer versions of the IPCU may change the syntax and make previous workarounds fail. I'm not sure what you're experiencing.

      I would suggest using the Profile Manager in Lion Server, which is the only Apple supported method that I know of.

      Best of luck!
      Andrew

      Delete
  11. Andrew this was a great article to find. Thanks for posting. I work for a large company that mainly uses Windows machines but are slowly moving to Macs. Last November we had roughly 40 and now we are over 230. I used the JAMF Casper Suit and love it but I'm stuck trying to figure out how to take this .mobile profile created with your instructions and have it set to when a user is near the wireless have it automatically log them in using the cached credentials on the machine since to log in and create a profile they have to authenticate with a Windows AD. I hope to start deploying this mobile config during the imaging process and the boss wants little to no user interacting if possible (Example - them typing in their username/password to join wireless) Any links or search terms would be greatly appreciated as I've exhausted my Googleing for the last few days and feel burnt out from not finding a straight answer). Thanks again for the post and any help you might could offer to me.

    ReplyDelete
    Replies
    1. I believe what you want to do is integrate Mac OS X machines into Active Directory (Apple calls this Dual Directory), then create an 802.1X profile in Lion Server - Profile Manager and configure the profile with "Use as a Login Window configuration (Mac OS X only)". This will instruct the MacBooks to connect to the Wi-Fi using the same username and password entered into the workstation's login screen.

      https://discussions.apple.com/servlet/JiveServlet/showImage/2-17782093-95302/Screen+Shot+2012-03-07+at+12.55.27+PM.png

      Also, the login window should display as "Name and Password" (not "List of Users"):
      http://support.apple.com/kb/HT4541

      Users may also need to include the domain name with their username when they login:
      http://support.apple.com/kb/HT4542#

      Best of luck!
      Andrew

      Delete
  12. That little mobileconfig hack worked perfectly. Thanks Andrew.

    ReplyDelete
  13. I work for a private school. We just bought a boatload of Aerohive APs. This Lion thing is killing me. If anyone has a fix other than installing a Lion server I'd appreciate help. I'm not a Mac guy. I had a profile working that was created using the iPhone CU but that seems to not work once moved to a different machine. We are all Macs here.

    ReplyDelete
    Replies
    1. Are you signing the profile when you export it? If so, make sure the other machines trust the certificate with which the profile is signed, or stop signing it altogether.

      There are other options from MDM providers, and multiple ways to deploy profiles to devices, ranging from simply publishing it on a website, sending it via email, or leveraging Aerohive's MDM integration (such as JAMF) to automatically identify devices joining the WLAN, redirect them for enrollment with MDM (which can include profile deployment), and then allowing them network access. This can be a user self-enrollment process without IT involvement if you want it to be. See this blog post and video for more information:
      http://blogs.aerohive.com/blog/the-enterprise-wireless-networking-blog/simpli-fi-apple-device-management

      Cheers,
      Andrew

      Delete
  14. Andrew,

    Great info here. I've been trying to "hack" the config file, but everything I edit the file, it errors out on me. Guess it is because it is signed with a digital signature? Without the signature, our MACS on campus will not authenticate. Any ideas on how I can get this going without upgrading our server to Lion or Mountain Lion? Wouldn't be a big deal if we weren't already 2 weeks into a school year. Thanks

    ReplyDelete
    Replies
    1. Round 2....I did the config file, exported it with no security. Edited the config file with the above instructions. I installed the file and it loaded with no problems. I am able to authenticate fine, but it is still a "user" profile. It did not change to a "system" profile that I desperately need it to be. Seems like I am close...VERY close. But I've been working on this issue for several days now. I did try the profile manager on one of my Lion servers, but talk about convoluted!! It is WAY confusing compared to Snow Loepard's Workgroup Manager which I currently use. Any help would be greatly appreciated. Thanks everyone

      Delete
  15. So, if you want identify to a AD domain thought a Wi-fi connection, there is no way except aquier ML Server, isn't it?
    This is the only way to enable the wi-fi BEFORE the login, no?
    Sorry for my bad english, but I need to logon on AD with MB Air and the only way I have is to use a USB-RJ45 adapter... Not very user frendly!

    ReplyDelete
  16. Looks like the latest IPhone Configuration Utility adds this functionality, without using ML server, or hacking the file.

    iPhone Configuration Utility lets you easily create, maintain, encrypt, and install configuration profiles, track and install provisioning profiles and authorized applications, and capture device information including console logs.


    Configuration profiles are XML files that contain device security policies, VPN configuration information, Wi-Fi settings, APN settings, Exchange account settings, mail settings, and certificates that permit iPhone and iPod touch to work with your enterprise systems.

    ReplyDelete
    Replies
    1. Looks like the new version doesn't have the option to "Use as a login window configuration", like the server version.

      Delete
  17. Tried the top-level mod to the .mobileconfig file to make it a System-level change (i.e., available at the login screen), but no change. If I login locally first and enable the profile, then log out, the wi-fi icon flickers twice then "goes gray".

    Intererstingly, if iPhone Configuration Utility is supposed to up to date on these sorts of things, why isn't it adding the System-level changes itself via a GUI similar to what we saw in Snow Leopard where System and Login Window were available options? If you attempt to reopen the modified .mobileconfig file, the iPCU throws a "The profile contains entries that cannot be managed by iPCU" warning at you.

    We will be upgrading to from OS X Server Snow Leopard to Mountain Lion shortly so perhaps the new iteration of Profile Manager will offer enhanced configuration above and beyond the iPCU? (Hopefully it'll allow backwards compatibility as well so we can manage both devices on Lion as well as Mountain Lion at the same time).

    ReplyDelete
  18. hello people, i have a same problem with 802.1x, and i have installed iPCU and i followed the instructions, but it profile installation failed - some required information is missing... i have no problem with internet in coffee shops or at friends apartments, but i live in student dorm, and i can't solve this problem... the only access to internet in the dorm is cable one, we don't have wi-fi. Bye the way i guess i'm the only one with mac in the dorm :/ thanks for your help

    ReplyDelete