MacOS X Login with 802.1x

At my $dayjob, I created a fancy unified login system with OpenLDAP and NFS mounts for all the computers. (General details of which I’ll put online when I have some spare time.) So I wanted to add another layer of fun: 802.1X network authentication. In my case, it’s only for wireless (using an HP 420 access point and FreeRADIUS), but this would work with a wired connection, too. The big problem was getting the login window to authorize with 802.1X so it could get all the directory information from LDAP and the NFS automounts for the user’s home directories. I was able to find some directions on how to do this from Apple (http://docs.info.apple.com/article.html?artnum=303471) but it failed to work for me.

Ultimately, after a long fight, with much anger towards Apple and the world for poor documentation, I was able to figure out what goes in /Library/Preferences/com.apple.loginwindow NetworkAuthConfigList:

 
   NetworkAuthConfigList = (
        {
            AuthData = {
                AcceptEAPTypes = (21, 25); 
                TLSVerifyServerCertificate = 1; 
                TTLSInnerAuthentication = MSCHAPv2; 
            }; 
            AuthType = "802.1x"; 
            "Network Port" = en1; 
            UserDefinedName = "My 802.1X Configuration"; 
            "Wireless Network" = "My Wireless AP"; 
        }
    ); 

In addition to this, you must have your TLS root certificate (I’m only using PEAP and TTLS for the EAP types, so no client certs, that’s also what the 21, 25 above mean) in the X509anchor and system keychains, trusted for EAP authentication. This is also very useful for mass deployments, since you can script this in using the “defaults write” command. But in my case, the command line is less annoying that pretty buttons that never tell you what went wrong.

You probably still need to set up an 802.1X profile in Internet Connect (and obviously changing the names for UserDefinedName, “Wireless Network”, and “Network Port” for your network to match) – I haven’t tried this yet without creating a profile in Internet Connect, but it fees like all the required data is already there. Anyway, I’m sharing this in case anyone else out there is trying to do network auth like I am and hopefully save you the trouble I had getting this far.

One final note: I have only tried this on 10.4.11, since 10.5 completely broke LDAP authentication in even the simplest test case, and is banned from $dayjob until that can be fixed.

One Comment

  1. I received a lot of comments on my MacOS X Login with 802.1x post, so it’s time for an update!