Mac OS 802.1X

From Provider Wiki

Jump to: navigation, search


Contents

Introduction

Creating an 802.1X entry by hand

You might want to create an entry for AirPennNet by hand, and this is how you do it:

Make sure that Airport is turned on (either through the icon in the menu bar, or through System Preferences->Network->Airport).

Internet Connect

  1. Logged in as the user you want to use this with, open "Internet Connect.app" (in /Applications).
  2. If there is a "802.1X" icon, click on that, otherwise choose "New 802.1X Configuration..." from the "File" menu.
  3. From the "Configuration:" drop-down choose "Edit Configurations...".
  4. Select the configuration you want to edit, or use the " " button at the bottom to create a new configuration.
  5. Description: can be anything you want it to be, the standard is "Penn 802.1X"
  6. Network Port: should be "Airport"
  7. User Name: can be blank, or the users pennkey
  8. Password: this should be blank (otherwise there will be no password prompt)
  9. Wireless Network: "AirPennNet" (this will only be available if the computer can see the network at that moment)
  10. Authentication: uncheck everything except "TTLS"
  11. Select "TTLS" and click on "Configure..."
  12. Choose "PAP" as the Inner Authentication mechanism (no Outer Identity needed).
  13. Click on "Ok" then "Ok" and then "Connect" to test the setup.

This should prompt you for a login (pennkey name and password), and you will probably get a message about the certificate next.

Note: Connections that are created by this method only work for a specific computer. They will not work on other computers if you are using a standard image.

Certificate Verification

The first time you connect to Penn's 802.1X system your computer will prompt you to verify the security certificate. The message will read: "802.1X Authentication" "The server certificate is not trusted because there are no explicit trust settings". To tell the computer to always trust this certificate:

  1. Click on "Show Certificate", this open up the window to show the certificate information (long)
  2. Scroll to the bottom, and click on the disclosure arrow to show the "Trust Settings"
  3. Set "When using this certificate:" to "Always Trust".
  4. Click "Continue" and this should be done.

Manually setting the Certificate Trust

If for some reason you want to set the trust settings on the certificate, and you can't connect at that point to get it to prompt you to do it, you can also do it manually. To do so:

  1. With the user logged in, open "Keychain Access.app" (/Applications/Utilities)
  2. In the "X509Anchors" find the "noc4.dccs.upenn.edu" certificate entry
  3. Double click on it to open it
  4. Scroll to the bottom, and click on the disclosure arrow to show the "Trust Settings"
  5. Set "When using this certificate:" to "Always Trust".
  6. Close the window and you should be set.

Cleaning out 802.1X entries

It could be that in the process of troubleshooting that you want to clean out everything associated with 802.1X. While this is not a hard process, you do have to know where to look. Here is a basic walk-though:

Keychain Password Entries

If there are any stored passwords, they will be in the user's Keychain. Here is how to clean them out:

  • Logged in as the user, open Keychain Access.app (/Applications/Utilities)
  • In the "login" keychain (you might have to click on "Show Keychains") look for entries of kind "Internet Connect". These could also be dial-up passwords, so you will have to use your judgment based on the name. But the worst thing you would do by deleting them is to have to re-enter them.
  • You might also want to look in the "System" keychain, to make sure something hasn't been put in there, and in any other keychains that might have been created.

Keychain Certificates

Since 802.1X uses SSL to communicate, you need to have a certificate in order to talk to the authentication device (in the case of Penn this is noc4.dccs.upenn.edu). When you first connect this is created for you, but it is possible that a setting could get wrong, or the old certificated might expire and you need a new one. To clean out the entries:

  • Logged in as the user, open Keychain Access.app (/Applications/Utilities)
  • In the "X509Anchors" keychain (you might have to click on "Show Keychains") look for entries with the name noc4.dccs.upenn.edu. You can simple delete these (they will be re-created).
  • If someone manually played with things, there could be certificates in other keychains that might interfere, so you might want to look around for those.

Internet Connect

The other place that you might want to delete things out of (so that you can start fresh) is out of "Internet Connect". To do this:

  • Logged in as the user open up "Internet Connect.app" (in /Applications)
  • Click on "802.1X" in the top bar (if there is no 802.1X there, then it has never been setup, so there is nothing to clean out).
  • Select "Edit Configurations..." from the "Configuration:" drop-down.
  • In the sheet that pops up select the configurations one-by-one from the left-hand side and use the minus button at the bottom to delete them.

The Raw Preferences File

If you ever need to do anything with the raw preferences file for 802.1X, in 10.3 and 10.4 it lives at:

~/Library/Preferences/ByHost/com.apple.networkConnect.<ethernet MAC address>.plist

Note that the <ethernet MAC address> is just that, the MAC address for the wired car on the computer without colons. It is a little annoying that they tie this to the individual computer like this, but...

Also note that this file is in plist format, and on 10.4 is in binary plist format. You can convert it with the command-line tool "plutil" or read it out using the "defaults" (command line) or PropertyList Editor (part of the free development tools).

The Raw File (annotated)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>-2</key>
	<array>
		<dict>
			<key>ConnectByDefault</key>
			<true/>
			<key>Network Port</key>
			<string>en1</string>

'en1' is usually the Airport card on most Mac's, 'en0' the built-in ethernet. 

			<key>PPP</key>
			<dict>
				<key>AuthName</key>
				<string></string>
				<key>AuthPassword</key>
				<string></string>

If you wanted a saved name and password, they would go here. 

				<key>UserDefinedName</key>
				<string>UPenn 802.1X</string>

This is the name that the user gets shown. 

			</dict>
			<key>Protocols</key>
			<array>
				<dict>
					<key>On</key>
					<integer>1</integer>
					<key>Protocol</key>
					<string>TTLS</string>
				</dict>
				<dict>
					<key>On</key>
					<integer>0</integer>
					<key>Protocol</key>
					<string>TLS</string>
				</dict>
				<dict>
					<key>On</key>
					<integer>0</integer>
					<key>Protocol</key>
					<string>EAP-FAST</string>
				</dict>
				<dict>
					<key>On</key>
					<integer>0</integer>
					<key>Protocol</key>
					<string>PEAP</string>
				</dict>
				<dict>
					<key>On</key>
					<integer>0</integer>
					<key>Protocol</key>
					<string>LEAP</string>
				</dict>
				<dict>
					<key>On</key>
					<integer>0</integer>
					<key>Protocol</key>
					<string>MD5</string>
				</dict>
			</array>

This array is the authentication methods. This is the proper setting for AirPennNet. 

			<key>TTLSInnerAuthentication</key>
			<string>PAP</string>

This is the inner authentication method that we need to use at Penn. 

			<key>UniqueIdentifier</key>
			<string>604498DD-CD4B-4248-ABFD-F0F20B11C226</string>

This is a randomly generated UUID that is used to tie this to the Keychain entry with the password. 

			<key>Wireless Network</key>
			<string>AirPennNet</string>

Here is where you need the network name. 

		</dict>
	</array>
</dict>
</plist>

Gory Detail Notes

Here is a bit of a brain-dump about how Mac OS X works with 802.1X. Most of these details are not directly helpful in troubleshooting, but might be valuable to someone:

  • Most (if not all) forms of 802.1X require a security certificate to be involved in the process. The protocol does allow for the downloading of this certificate as part of the negotiation phase, and Mac OS X does seem to do this without any problem. However, there is also the "trust setting" involved, and this has to be set by the user.
  • Trust settings are a per-user thing. And specifically the "EAP" setting is the one you need to set (overall certificate setting will also get this). Normally you can put a certificate in the X509Anchors keychain and everything gets trusted there... except that does not hold true for 802.1X/EAP.
  • Self-signed certificates seem to be buggy (sometimes they work, sometimes they don't.. even with the same certificate on the same computer), so you should aim for something that is chained off a known root certificate. Putting the certificate in the X509Anchors would probably solve that part of the problem.
  • The trust settings for everything for a single user is stored in their default keychain (usually login.keychain). This might seem counter-intuitive when the certificates can be in other keychains. There does not seem to be a way of storing trust settings for all users.
Retrieved from "http://prowiki.isc.upenn.edu/wiki/Mac_OS_802.1X"
Personal tools