802.1x profile

Similar Messages

• Does Updating To Lion From Snow Leopard Delete All Existing 802.1X Profiles

  Hello.
  I Was Just Wondering If I Installed Lion On My White Macbook Running The Latest Version Of Snow Leopard, Whether My 802.1x Profiles Will Be Migrated Across Or Deleted.
  Many Thanks

  I did, and my profiles are gone, and if you look at other posts, they cannot be easily added.
  I am accessing my 802.1x profiles when I start up from Snow Leopard, and my question would be how I could import the profiles from Snow Leopard?
  Helga

• What happened to my 802.1X profiles in LION?

  Hi there,
  The 802.1X profiles I had are not only gone when I installed Lion, but now the system does not allow me to create them anymore. Why do you obligue me to use a config file? I just do not see the advantage of making things more complicated. I think that adding the config file option is nice, but just do not remove the old way, which worked perfectly.
  Best regards,
  Antonio.

  Done. I somehow did not find that forum when I posted the question (that's why I highlighted in caps the word LION: to make it clear that it was not for the SL forum.
  Thanks,
  Antonio.

• Do I need to add a 802.1x profile to allow others to use my wifi?

  Before I upgraded to Mountain Lion visiting family members were able to use my internet. Now some cannot even though I have given them my password. Do I need to add a 802.1x profile? Does this mean my router?

  I cannot amend my initial post as I incorrectly described the display so here is an update.
  As far as I have read and experienced with purchasing two such displays, this model came with a Mini Displayport to DVI adapter not a HDMI to DVI adapter.
  I think I need an HDMI to Mini Displayport adapter so I can use the Mini Displayport to DVI adapter that came with the display.
  Here is the display:
  Apple Cinema Display 23-Inch Aluminum
  The Apple 23-Inch Cinema Display (Aluminum) (M9178LL/A), is designed match the Power Macintosh G5 and PowerBook G4 models. It features a 23-inch (1920x1200) wide-format active-matrix LCD display with 16.7 million colors, 170 degree viewing angle, and a response time of 16 ms. It sports dual FireWire 400 and dual USB 2.0 ports on the back of the display.
  Picture is here if link is allowed:
  http://www.sellyourmac.com/mac-product-guides/cinema-display.html
  http://www.sellyourmac.com/images/stories/mac-guides/apple_cinema_display_20_inc h_aluminum.jpg

• 802.1x Profile - PEAP/EAP-MSCHAPv2

  I'm trying to connect my new retina Macbook Pro to our enterprise network, and am having trouble with the 802.1x profile. Looking at the settings on my Windows PC, I need to use PEAP/EAP-MSCHAPv2, but OSX Lion seems to default to PEAP/EAP-GTC. With these settings, I'm able to connect to the network but cannot access any network resources.
  I'm using the iPhone Configuration Utility to generate the 802.1x profile package. As far as I can tell, I am unable to change the inner authentication method with this application. Anyone out there have any suggestions on how I can resolve this?

  The prompt is specified when you create the profile on the machine. You can either have the user get prompt for login, save a username and password or use the cache credentials. You need to look at the errors in radius and in the wlc. One will have enough info to say what went wrong during the authentication process.

• How can I creat a 802.1x Profile without Lion Server? I miss the plus-button in Lion to creat a 802.1x Profile.

  How can I creat a 802.1x Profile without Lion Server? I miss the plus-button in the Network Configuration (OS X Lion) to creat a 802.1x Profile.

  Tried this?
  http://blog.affien.com/archives/2011/03/16/802-1x-configuration-profile-on-lion- mac-os-x-10-7/

• Trouble with 802.1x profile

  Hi there,
  I work at a University, and after a recent network change all of our campus wifi networks require 802.1x authentication. This works fine for all but a couple of labs which use laptops, and thus require an 802.1x profile be built for the loginwindow so students can use their AD accounts to log in.
  I should probably also mention that the accounts are mobile accounts, and are removed after logoff (via a LogoutHook). We're running OS X 10.8.5 through 10.10.2.
  So far, I've built n-thousand variations of the 802.1x profile in ProfileManager, but am still completely unable to get this working.
  I'll start off with a rough overview our security settings, and what I've done so far:
  WPA2 Enterprise, PEAP with MSCHAPv2
  When logged in to a machine, trusting the following certificates and saving the user-supplied credentials will successfully allow a user to reconnect unprompted for credentials, but the (seemingly) same settings in the 802.1x profile don't work (or I'm configuring it incorrectly).
  Symantec Class 3 Secure Server CA - G4
  VeriSign Class 3 Public Primary Certification Authority - G5
  Also, the leaf / radius server certificate becomes trusted, but does not have to be explicitly downloaded (as far as I know- but I have tried supplying it as well).
  In the 802.1x profile, I've tried just about every permutation of settings I can think of, but I'll outline my general process (in case I'm missing something).
  I add the certificate payload with the 2 certificates listed above (I've also tried it with the leaf certificate).
  In the network payload, I
  1) enter the SSID
  2) set to AutoJoin
  3) set WPA2 Enterprise security
  4) check "Use as LoginWindow configuration"
  5) check PEAP under protocols
  6) add a 'filler' name to OuterIdentity (everything I read said it doesn't matter what's entered)
  In the Trust tab:
  7) check the 2 certificates added in the cert payload
  8) enter the FQDN of the RADIUS server (xxx-radius.xx.xxxxx.edu) in the Trusted Server Certificate Names (this is the same as the cert for the server found in Keychain Access)
  I've figuratively tried millions of variants (e.g. add the leaf cert to the cert payload / trust settings | add no cert payload, just radius server fqdn under TSCN section | etc.)
  Any tips on what I'm doing wrong?
  Thank you,
  Eric

  hi, if the problem still persists, have you tried clearing out any 802.1x profiles you have saved?
  Go to System Preferences > Network, click on Airport, choose Advanced, go to the 802.1x tab, look at the section on the left side that has User Profiles. Select the profile and hit the minus button at the bottom of the pane.
  A lot of these issues seem to be helped by clearing out any saved data about the wireless network, and setting it up manually again. We have seen many issues here at Notre Dame with Macs vs 802.1x. Hoping Apple makes it more reliable soon.

• How can I create 802.1x profile if my ISP doesn't provide one to me?

  I couldn't connect to my ISP
  ISP uses authentication with MD5. I tried to configure it from Network - Ethernet - Advanced - 802.1x but itturned out, that I couldn't add new profile there.
  My ISP says, that they doesn't provide any .mobileconfig files.
  How can I make my network work? Where and how to make .mobileconfig file?
  File, that I made in iPhone Configuration Utility doesn't work for me, because system says it couldn't be added as a profile.

  If your ISP is using MD5, I suggest you find another ISP.
  The security of MD5 hash algorithm has been declared to be severely compromised for some time now. I didn't think anyone was still using it.
  Allan

• My internet provider use 802.1x profile with MD5 protocol.

  I want to make wireless net at home with Air port Extreme. With it I cannot connect to the internet. My provider use verification 802.1x with MD5 protocol. I was trying to make new profile with iPCU (iPhone Configuration Utility) but found that now MD5 is not supporting.
  How I can connect the Air port Extreme?

  Unfortunately but I did not found in the article how to configure profile.
  Before in Mac OS Snow Leopard or earlier it was possible to choose authentication type: TTLS, EAP, TLS, EAP-FAST, LEAP, MD5.
  At the present moment in the iPCU (iPhone configuration utility) it is possible to choose: TLS, TTLS, LEAP, PEAP, EAP-FAST, EAP-SIM.
  In the manual for iOS 5 it is written that in the new OS MD5 protocol is not supported.
  Does it mean that I cannot connect to the local provider?

• How to create a 802.1X Profile Using Smart Card Certificate

  My company has just implemented a new wireless network that requires users to use a USB Smart Card security device.
  This works fine for Windows, as the OS will allow the end user to configure more advanced authentication/authorization methods (802.1X, etc.) Unfortunately, OS X removed this functionality several versions back; 802.1X and advanced Wi-Fi configurations must now be handled by some sort of profile creation utility. Unfortunately, I've yet to find a utility (iPhone Configuration Utility, Apple Configurator) that will allow the creation of an 802.1X / Wireless Network Configuration that allows the use of a smart card for authentication. They all require that you actually upload the entire key-pair combo(?) in the form of a .p12 file. This is impossible with a smart card; by design you are not allowed to export the private key.
  I'm wondering if there is some way around this? Is it even an option? I know Mac OS will allow me to select "EAP-TLS" when configuring a new wireless network in System Preferences, then even allows me to select my certificate/identity from the Smart Card. Unfortunately, the network I'm trying to connect to doesn't support EAP-TLS/needs some additional configuration options/settings (EAP-TTLS for one).
  Any help/ideas would be greatly appreciated. Thanks!!

  Hello,
  exactly my topic I have been fighting now for months and already gave up.
  My setup is a Lion Server and a Lion WLAN client. My goal is to have the system profile 802.1x WLAN authentication up and running but I just don't get it working. First I tried to create a machine certificate (TLS) but this did not work. Then I tried the option to use Computer Object credentials (TTLS) (Open Directory Computer Object account credentials) to establish network connection before a user logs on but also this does't work.
  As said I'm using Lion Server with Open Directory and Lion Server Radius.
  Any help or guide appreciated!
  Robert

• 802.1x profile, Active Directory, and Wireless

  I have been trying to reduce the amount of passwords our Apple users have to enter on our Active Directory network. 
  One of the ones I have ran into that I thought would be straightforward has turned out to not be so.
  I've created a Network Payload for Wi-Fi.  All of the Macs are bound to the AD Domain, and user's log in with their AD Credentials.
  Here is the sticking point I ran into.  When I choose "login window" in the network payload for wifi, my expectation is that the login credentials are passed through to the wireless.  Unfortunately, this appears to not be the case.  At first, I thought the login was being passed through as "LOGINNAME" instead of what the wireless may be expecting which would be "DOMAIN\LOGINNAME".  Here I tried variables in the user-name field, such as %short_name%@Domain.com, but still doesn't seem to work.
  I was hoping to go to the profile manager page on the site here, but it appears the documentation is a bit less than I was expecting, hence me coming here.
  Any other AD admin out there with Mac's in the network that has gotten login credentials to be passed through to the wireless?
  (EAP and TTLS boxes checked, if that helps)

  This has been working for us since OS 10.7.5, but is now broken with the release of Yosemite.  I have a ticket open with Apple enterprise support regarding this issue.

• Help with 802.1x wifi profile

  Hi All,
  I am in a bit of a bind.  I have been tasked with creating an 802.1x profile for Lion and up machines based on the profiles we use for our Windows machines and I have not been able to get this to work.  Our radius server is Win 2K8 R2 based, and uses various AD based methods for authentication.
  Radius needs the following:
  - Microsoft: Protected EAP (PEAP)
  - TLS (for MSCHAPv2 settings)
  PEAP Properties
  - Validate server certificate
  - Authentication Method:  EAP-MSCHAPv2 with Fast-Reconnet enabled
  MSCHAPv2 will use the user's AD credentials.
  Radius also requires that machine be found in AD.  Our CA admin has given me certs to add to the macs for this portion.
  I guess I am just very confused as to what info goes where.  I've had a look at this:
  http://www.revolutionwifi.net/2012/02/mac-os-x-lion-creating-wi-fi-8021x.html
  but I still can't figure this out.
  Can anyone provide any guidance on setting up 802.1x in this kind of a scenario?
  Thanks!

  The official documentation is below. I don't know anything that isn't in that document.
  http://training.apple.com/pdf/WP_8021X_Authentication.pdf

• 802.1x TLS (Machine certifcate) authentication in Snow Leopard

  Hi,
  In our company we are using 802.1x TLS authentication for WLAN and in some LAN ports. We are have been delivering machine certificate to our PCs for a while without problems and these are using the certificate to authenticate themselves before login to the network.
  We would like to deliver the same user experience to mac users but we are having sever problems to configure them. Our mac users use Snow Leopard and the few references I found on the internet regarding 802.1x TLS authentication is for Leopard or previous versions, where the 802.1x and Keychain configuration is quite different.
  We do have a proper machine certificate (with the correct usages, SAN, etc) and it´s related AD object provisioned. I have create the 802.1x profile as "User Prfile" and as a "System Profile" with the same results
  I add the Client logs below but what I don´t understand id why the client is sending it´s going to use MSCHap when that is not the case.
  <key>TTLSInnerAuthentication</key>
  <string>MSCHAPv2</string>
  Lastly the Keychain has also a weird behavior. If we import a Root CA in the "login" and/or "System" keychain, mark is as "always Trust" and later we import a certificate created by this Root CA, the keychain UI insist that the certificate "was signed by an unknown authority". For the logs below that does not seams the reason why the client is not able to use the 802.1x TLS but in any case that is a bug.
  Client logs:
  2010/05/14 10:37:12.872405 update_configuration
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>AcceptEAPTypes</key>
  <array>
  <integer>13</integer>
  </array>
  <key>Description</key>
  <string>Automatic</string>
  <key>EAPFASTProvisionPAC</key>
  <true/>
  <key>EAPFASTUsePAC</key>
  <true/>
  <key>TLSIdentityHandle</key>
  <data>
  [Removed]
  </data>
  <key>TLSTrustedCertificates</key>
  <array>
  <data>
  [In here we have our Internal Root CA we use to create Machine certificate and also to create the certificate used in our IAS Server (the RADIUS)
  </data>
  </array>
  <key>TLSVerifyServerCertificate</key>
  <true/>
  <key>TTLSInnerAuthentication</key>
  <string>MSCHAPv2</string>
  </dict>
  </plist>
  2010/05/14 10:37:12.968769 link up
  2010/05/14 10:37:12.968862 Associated SSID [Removed SSID] BSSID [Removed BSSID]
  2010/05/14 10:37:12.972850 Receive Packet Size 77
  Ether packet: dest f8:1e:df:e4:88:5a source 0:11:5c:c7:14:90 type 0x888e
  EAPOL: proto version 0x2 type EAP Packet (0) length 59
  EAP Request (1): Identifier 1 Length 59
  Identity (1)
  length 59 - sizeof(*rd_p) 5 = 54
  [Removed. In here there is our networkid,nasid and portid ]
  2010/05/14 10:37:12.972955 Supplicant (main) status: state=Connecting
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>ClientStatus</key>
  <integer>0</integer>
  <key>ConfigurationGeneration</key>
  <integer>2</integer>
  <key>DomainSpecificError</key>
  <integer>0</integer>
  <key>Mode</key>
  <integer>1</integer>
  <key>SupplicantState</key>
  <integer>1</integer>
  <key>Timestamp</key>
  <date>2010-05-14T08:37:12Z</date>
  <key>UniqueIdentifier</key>
  <string>[Removed]</string>
  </dict>
  </plist>
  2010/05/14 10:37:12.976795 EAP Request Identity
  2010/05/14 10:37:12.976819 EAP Response Identity [Removed, in here there is the Machine name as appears in the SAN of the certificate ]
  2010/05/14 10:37:12.976832 Transmit Packet Size 39
  Ether packet: dest 0:11:5c:c7:14:90 source f8:1e:df:e4:88:5a type 0x888e
  EAPOL: proto version 0x1 type EAP Packet (0) length 35
  EAP Response (2): Identifier 1 Length 35
  Identity (1)
  length 35 - sizeof(*rd_p) 5 = 30
  (Removed raw data with the SAN ]
  2010/05/14 10:37:12.977530 Supplicant (main) status: state=Acquired
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>ClientStatus</key>
  <integer>0</integer>
  <key>ConfigurationGeneration</key>
  <integer>2</integer>
  <key>DomainSpecificError</key>
  <integer>0</integer>
  <key>IdentityAttributes</key>
  <array>
  <string>networkid=[Removed our SSID]</string>
  <string>nasid=[Removed our WLANC ID]</string>
  <string>portid=29</string>
  </array>
  <key>Mode</key>
  <integer>1</integer>
  <key>SupplicantState</key>
  <integer>2</integer>
  <key>Timestamp</key>
  <date>2010-05-14T08:37:12Z</date>
  <key>UniqueIdentifier</key>
  <string>[Removed]</string>
  </dict>
  </plist>
  2010/05/14 10:37:13.022577 force renew
  2010/05/14 10:37:13.025323 stop
  * Does someone been able to use 802.1x TLS based authentication for Snow Leopard clients and is able to point me to the right direction?
  * Does Apple provide any documentation for this? (all I found is that I should contact the "Network Administrator" to get the mac configured!!!))
  * How can I make that a certificate issued by a "Private CA" is trsuted in Snow Leopard? All workarounds I found are not suitable for Snow Leopard
  Thanks
  Jofre

  Hi,
  some updates, besides the keytools UI issue and the strange logs seams that the request is reaching the RADIUS, a Windows IAS Server.
  If we compare a PC and A MAc we have the follwoing.
  PC:
  1 0.000000 IntelCor_c1:49:69 Cisco_c7:14:90 EAPOL Start
  2 0.030210 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748]
  3 0.034350 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748] (Repeated)
  4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
  5 0.135258 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748] (Repeated)
  6 0.142715 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, EAP-TLS [RFC5216] [Aboba]
  7 0.196988 IntelCor_c1:49:69 Cisco_c7:14:90 TLSv1 Client Hello
  8 0.213640 Cisco_c7:14:90 IntelCor_c1:49:69 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
  Continues OK
  While on a Snow Leopard are:
  44 39.196967 Apple_e4:88:5a Cisco_c7:14:90 EAPOL Start
  45 39.201062 Cisco_c7:14:90 Apple_e4:88:5a EAPRequest, Identity [RFC3748]
  46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
  47 39.209543 Cisco_c7:14:90 Apple_e4:88:5a EAPFailure
  after analizin the network traces we see that the different is on the 3rd EAP Packet:
  PC:
  4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAP Response, Identity [RFC3748]
  802.1X Authentication
  Version: 1
  Type: EAP Packet (0)
  Length: 40
  Extensible Authentication Protocol
  Code: Response (2)
  Id: 1
  Length: 40
  Type: Identity [RFC3748] (1)
  Identity (35 bytes): host/SAN-NAME01.INTERNALDOMAIN.COM
  Mac Snow Leopard:
  46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAP Response, Identity [RFC3748]
  802.1X Authentication
  Version: 1
  Type: EAP Packet (0)
  Length: 35
  Extensible Authentication Protocol
  Code: Response (2)
  Id: 2
  Length: 35
  Type: Identity [RFC3748] (1)
  Identity (30 bytes): SAN-NAME01.INTERNALDOMAIN.COM
  that difference prevents our RADIUS (IAS Server) to authenticate the device properly, with the error:
  User SAN-NAME01.INTERNALDOMAIN.COM was denied access.
  Policy-Name = <undetermined>
  Authentication-Type = EAP
  EAP-Type = <undetermined>
  Reason-Code = 8
  Reason = The specified user account does not exist.
  while in the PC case we have:
  PC:
  User host/SAN-NAME02.INTERNALDOMAIN.COM was granted access.
  Policy-Name = Allow Wireless Lan Access With Certificate
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  * Question1: Is there a way to ensure that the Snow Leopard added the "host/" at the begining of the Identity?
  * Question2: Did someone been able to connect a Snow Leopard to a WLAN protected with 802.1x using TLS?
  Thanks
  Jofre

• WiFi  - WPA - 802.1X - Bug?

  Hi guys,
  sorry for posting this here in the discussion forums, but I don't really know where to do it.
  I think, I just found a bug in the OS X Network Preferences. I tried to login into a WPA secured network. Therefore I had to import a private key file and a certificate. After doing that I had to configure a 802.1X profile. So I did.
  But by clicking on the "Connect"-Button in the Airport preferences, it tried to access my MobileMe certificate and not that, that I imported before. SO it didn't work.
  I had to delete the MobileMe certificates from the KeyChain to make it access the privateKey.
  I was about to post it somewhere directly to Apple but couldn't find the link. Maybe you guys could do that for me?
  Thank you very much.
  Best regards from Viena/Austria
  Kamil

  http://www.apple.com/feedback/

• 802.1x Wireless Authentication with 10.8.4 Build 12E3067

  Hello All,
  Work in a school and we use 802.1x authentication for Wi-Fi and access to our server and Staff wireless VLAN.  We use a login window profile that authenticates with our Active Directory.
  Previous and working set up was MBA (Mid 2012) 5,1. Running OS 10.8.4 build 12E55.  This OS was downloaded from Mac App Store. Bound to domain and using authorization certificates for our active directory controllers. Created Wi-Fi 802.1x authentication profile with Profile Manager on 10.8 server.  No issue.  Units authenticate with server at user login, join Wi-Fi and mounts home folder. 
  New and not working set up is MBA (Mid 2013) 6,2 running OS 10.8.4 build 12E3067.  This unit will not run build 12E55, boots to prohibitory sign. Unit is set up with same certificates and 802.1x profile. When first booting up the Wi-Fi signal appears to be attached to the network, unlike previous setup when unit will Wi-Fi indicator will appear disconnected until user logs in.  90% of the time new units will not authenticate. States unable to connect to server and then loads into mobile user account.  Will not attached to Wi-Fi. There are instances when it does authenticate properly.  However logging out and then back in will cause the failure.
  Also note, I have made an image of the 6,2 MBA with build 12E3067 and installed in on MBA 5,1. Same Failure happens.  This leads me to believe the issue lies in OS 10.8.4 build 12E3067.
  Troubleshooting:
  -I have taken OS build 12E3067 on MBA 6,2 (failing to authenticate) and removed Wi-Fi profile. Unit authenticates over Ethernet with no issue. Add profile back and issue surfaces.
  -Created new profile using profile manager and issue continues. Verified proper certificates are being used. Would the previous profile
  -Restarted domain controllers. Issue continues.
  Any thoughts or questions would be appreciated.

  did you find any resolution to this?  our mba- mid 2013 deployment is having a very similar problem.  We've gone through loads of troubleshooting and have yet to come to a resolution.  all our mid 2012 mba's are working fine they're 10.7.5/10.8.4 mixed.  console logs don't show much, i'll try the wireless diags tomorrow.  our other 10.8.4 build appears fine on other models of machines.  i've read posts about deleteing the adapters, deleting the system config plists and changing the mtu size, these steps do not work for us.
  we don't have as high a failure rate with our deployment, but 25%-30% of our clients randomly drop connectivity and are unable to reconnect (fluttering wi-fi wave).  when you slect the wifi symbol in the menu bar other wireless networks do not show, the 'looking for networks' fly wheel continues to spin.  ocasionaly on login the yellow jelly bean will appear then disappear before finally timeing out without logging the user in (depsite having mobile accounts enabled).    mostly the problem manifests itself when waking from sleep - the wifi symbol flutters endlessly without connecting.  deleting the 8021x profile and readding it will reenable connectivity.  we've tried new profiels, but to the same end.  i know our certs and systems are fine because previous mac os x builds work fine as do our windows clients.
  any input would be much appreciated.