Update: MacOS X Login with 802.1x

I’ve received a lot of comments on my MacOS X Login with 802.1x post, so it’s time for an update!

  1. I have no idea what the real XML structure for loginwindow is. What I have is some trial and error, fragments from searches, and adding the items using ‘defaults write’. Some (most?) of it can be found in the XML files for AirPort, which are available in pure XML format.
  2. Internet Connect is hardcore finicky about adding things itself. After writing the aforementioned post, I discovered that the reason it wasn’t adding to the login window as it’s supposed to is because of cert errors from keychain. My solution was to connect with 802.1x, delete all references to my certs (I made certs from my own CA on my RADIUS server) from keychain under the user, system, and anchors section, then run the add to login window under Internet Connect. However, this only worked once for me, and after that, it went back to being pissed off and broken.
  3. I haven’t tried anything on 10.5.x yet because the fancy LDAP system I developed at $dayjob is broken under 10.5. Apple made enough changes to their LDAP that it’ll see all the data from LDAP, but it won’t auth at the login window. I haven’t even had time to look at it yet because I no longer have a Mac at home, and we’re going through a merger at $dayjob.

So, there you have it. 802.1x works – mostly – although I still have problems with it finding the AP fast enough if you try to turn on portable home directories (a topic for another post) because the Mac gives up way too fast on 802.1x and logs you in without networking and breaks any network permissions you may have set with groups and the like. Someday I plan on documenting everything I’ve done to create this unified LDAP single sign-on system I keep mentioning, as it was a nightmare to come up with a way Windows, MacOS and Linux can find a common ground in LDAP. Stay tuned!