Wednesday, April 25, 2012

802.1x User Profile for Kiosks

Quick Link: Download the Code

I was given the task of configuring 802.1x for our Portable Sig Stations. These MacBooks are used throughout the campus on wireless to allow students to agree to the terms of our network. Previously these MacBooks used an older wireless solution that was being retired in July. When the machines are set up in the morning, different consultants and student workers need to authenticate the wireless. In order to keep them working over the next few months, we had to add the new 802.1x wireless config. This was not as easy as it seemed...

User Profile 802.1x seems to be configured in four places:

~/Library/Preferences/com.apple.eap.profiles.plist
This is the system wide 802.1x config for the wireless


~/Library/Preferences/ByHost/com.apple.eapbinding.[UUID] 
This is the preferred network for the user. This was required for our setup, others may not need it.
Where the UUID could be the MAC address or UUID of the Mac.


/Library/Prefernces/SystemConfiguration/preferences.plist  
The Airport is turned on and off here.
There is also a preferred network setting here.


/Library/Prefernces/SystemConfiguration/com.apple.airport.preferences.plist
Recent networks

After watching the file changes using FSEventer, and the checking out scripts of a few other Mac Admins (Steve Yuroff and Bryan Lee), I was able to bring together the pieces I needed to get it to work.

Some other useful links:
http://www.afp548.com/article.php?story=20100421100144943
http://www.afp548.com/article.php?story=20090901010221742
http://hints.macworld.com/article.php?story=20101004114849586
http://bigmaconcampus.wordpress.com/2009/08/27/wireless-installer-the-next-generation/

Manually Configuring:


I used the instructions provided here and FSEventer to watch the files being modified:
https://www.work.psu.edu/access/dot1x/prod/mac1053.html

Now Script It!

First, manually setup and export the profile to the current directory:
networksetup -export8021xUserProfiles AirPort . yes

On a new machine:


Install the 802.1x file into "/Library/PSUshared/psu-8021x-profile.plist"
Install the script to "/Library/PSUshared/psuWirelessSetup.sh"
Install the launchd item into "/Users/kiosk/Library/LaunchAgents/edu.psu.clc.wirelesssetup.plist"
Run the visudo code in the terminal, with sudo.

UPDATE: I tried my damnedest to paste the code, Google Blogger does NOT like it. Just get the download!

While this script is designed to be for a single user, this code could be changed to be used for any user logging in, although for a standard user account a launchd item would be excessive. Also, 10.7 negates the need for this because it uses the 802.1x profile, which works much better with multiple users!

I've also included an attachment with the file, as the web isn't the best way to display scripts properly. Don't try to copy and paste the code from the browser, just download it here.

Rusty

No comments: