Category : Mac

How to Troubleshoot 802.1x Mac Authentication Issues

It is quite complex to troubleshoot 802.1x authentication issues for Mac. Here are a few sections you can look for errors:

1. RADIUS Server Log

This is the most convenient and efficient way to troubleshot 802.1x issues . Just send Mac address to your network engineer and ask for the authentication log 🙂

If you just use FQDN_computername, it will fail for sure

The correct name should be computername$

Or you can use host/FQDN_computername

 

2. EAPOLClient Log

If you cannot find your network engineer easily, here is the perfect log to troubleshoot for you. Just open terminal and use this command will show you the last 5minute mac authentication log:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int -1

log show –style syslog –predicate ‘processImagePath contains “eapolclient” and subsystem contains “com.apple.eapol”‘ –last 30m > ~/Desktop/eapolclient.log

You will get this if someone remove the network configuration profile:

You will get this if your network identity preference is not correctly linked to your mac client certificate:

Your EAP Response Identity should be computername$ or host/FQDN_computername

3. Keychains

 

You should have these items inside your Keychain:

  1. Identity Preference for Wifi under your “login” folder

2. Identity Preference for Ethernet under “System”

3.802.1x Password for WIFI under “System”

3. 802.1x Password for ethernet under “System”

4. Root CA certificate

 

 

 

4. Configuration Profile Installation Issues

If you see this message when trying to install the configuration profile:

The ‘Active Directory Certificate’ payload could not be installed. The certificate request failed.

Enable the log mode and then check from there:

sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2
sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1

And then check log from /Library/Logs/ManagedClient/ManagedClient.log

 

If everything is fixed, you should able to see these from your network connection:

 


802.1X Network Authentication for Mac

Cannot believe I spent so much time just to figure out how to do 802.1x network authentication for Mac 🙂

So for managing macs, we have two ways of setup 802.1x, one is using Apple Profile Manager to create a configuration profile, and the other way is to use Casper configuration profile.  From the internet, it seems Casper profile has some issues with ethernet profile, so I decided to use the Apple Profile Manger from the Server app.

However no matter what settings I make, it always turned out like this when I install the profile on a test mac:

So I have to choose the Casper configuration route. However if you are using Apple Profile Manager, here is a few points maybe helpful to you:

  1.  On the Certificate Server, you have to type something like this: https://FQDN/certsrv
  2.  The username you use to authenticate with RADIUS server, it can be %ComputerName%$,

Here are a few articles are talking about this method:

https://support.apple.com/en-us/HT204602

https://kevinbecker.squarespace.com/blog/2015/03/26/mac-os-x-wpa2-enterprise-authentication-using-a-microsoft-ca-part-2-2

 

Ok, now let’s talk about doing 802.1x authentication using Casper’s configuration profile.  Here are the settings from my environment:

  1. Upload your root CA certificate on the Certificate Tab;
  2. Setup your AD certificate to acquire your client certificate for your mac;
    2.1 Certificate Authority just the common name of your server is fine:
    2.2 Be careful about “The name of the CA”, you can find your real CA name from this URL:
    https://support.microsoft.com/en-us/help/555529?wa=wsignin1.0%3Fwa%3Dwsignin1.0
  3. On Network tab, create two network, one for wifi, and the other for ethernet.
    it needs to be “Computer Level” under ” General” tab
    Choose the security type your environment is in, for me, it is TLS
    On the Trust tab, choose the root CA, and specify any RADIUS you need to trust, if you list *.FQDN, it will NOT work. You have to manually specify all the FQDN of your RADIUS servers.

    On the username part, it is very important, If you use $COMPUTERNAME like Casper said, it will come out as name.domain.net, however for our RAIDUS server to be recognize, it needs to be something like name$, so we have to use %AD_ComputerID%.

    And then you do the same for ethernet. Some people prefer to create two separate configuration profiles, one for wifi, and the other for ethernet. I did that before, and then found out I will have two same client machine certificate, so I decided to put into one to avoid confusions.

3. If you think you are done, that is far too easy 🙂

If you install the configuration profile, you will see the ethernet will work well, however the wifi won’t work ( in my case, the wifi won’t associate my client machine certificate, so I have to manually link them together).

Here is my script to do a manual configuration profile install and then link them together:

#!/bin/sh

a=$(hostname -s)
b=”.your.domain.name”

/usr/bin/profiles -I -F /private/tmp/network.mobileconfig
security set-identity-preference -c $a$b -s com.apple.network.eap.user.identity.wlan.ssid.”your wifi name”

 

Ok, now you should be all set with 802.1 network authentication for your macs 🙂


How to Setup NFS Server on Mac

1.Open terminal on your mac and edit exports file:

sudo nano /etc/exports

2. Edit the file to add the share folder:

 /LocalSharedFolderPath -mapall=ID -alldirs

ID is your account ID, you can just type”id” in terminal to find out

3. Check if the exports file is correct:

sudo nfsd checkexports

4. If nothing showed up with that command, it means success. then you can start enable NFS service:

sudo nfsd enable

5. Check if NFS has been setup correctly:

showmount -e

If you see the following word and with the shared path, then it is good. If you only see the following word, then it means failed 🙁

Exports list on localhost:


SCCM Mac Client Auto Enrollment Script

Since our SCCM server got updated, the old sccm mac client won’t working anymore ( needs to support El Caption), and our certificate expired as well…so basically I have to uninstall the old sccm mac client, and remove the old certificate. and then re-install the new mac sccm client and do the sccm enrollment to generate the certificate again.

At this time we already have Casper, so I just use a single shell script to do this task. here is the script:

#!/bin/sh

# Download & Extract Installation Files
cd /tmp
curl -LOk http://abc.com/downloads/sccm-mac.zip
sudo unzip -o sccm-mac.zip

# Uninstall current SCCM agent
sudo ./tools/CMUninstall -c

# Delete current SCCM certificates
security find-certificate -c “SCCM” -a -Z | sudo awk ‘/SHA-1/{system(“security delete-certificate -Z “$NF)}’

# Install Mac SCCM Client
sudo installer -package /tmp/CMClient.pkg -target /

# SCCM Enrollment
/usr/bin/expect << EOF

set timeout 60

spawn /tmp/tools/CMEnroll -s abc.com -ignorecertchainvalidation -u domain_name\\\username
expect “Please enter your password.”
send raw_password
expect “Successfully enrolled.”

EOF

# Delete All the temp files
sudo rm -rf tools
sudo rm -f sccm-mac.zip
sudo rm -f enroll.sh
sudo rm -f CMClient.pkg

 

A few points:

1. To use expect script inside a shell script, there are a few ways to do it, I just use this format:

/usr/bin/expect << EOF

spawn

expect

send

EOF

2. Inside the expect script, if you want to do the escape for the domain username, the format should be domain_name\\\username

3. If you want to enable debug mode in expect script, just add -d in the end, such as “/usr/bin/expect -d <<EOF”

4. wget is not installed by default on Macs, however we can use curl, and to download the zip file, use curl -LOk

5. To complete unisntall sccm mac client, use -c switch.


Cool MAC OSX BASH PROFILE

https://natelandau.com/my-mac-osx-bash_profile/


How to Make Mac OS X Runs Faster in VM

this beamoff seems working good: