Tag : 802.1x

Shell Script to Remove Centrify, Move Wifi/LAN, and Request 802.1 Certificate

Here is a long script of doing a lot of things,  it deletes the Centrify Binding, Centrify certificates and itself, binds the machine to AD via native plugin and requests a 802.1x certificate via native RPC

 

#!/bin/sh

# This script deletes the Centrify Binding, Centrify certificates and itself, binds the machine to AD via native plugin and requests a 802.1x certificate via native RPC
# Rui Qiu
# Nov 17, 2017
# Last update: Dec 12, 2017

# exit code 0 – success
# 1 – no wifi
# 2 – no connection do DC
# 3 – migration failed, no connection to DC

CurrentUser=`/bin/ls -l /dev/console | /usr/bin/awk ‘{ print $3 }’`
ConnectedWIFI=$(/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | awk ‘/ SSID/ {print substr($0, index($0, $2))}’)
Ori_Network_Choice=$(networksetup -listallnetworkservices | grep -v ‘An asterisk ‘ | sed s/\^’*’// | sed ‘s/.*/\”&\”/’ | tr ‘\n’ ‘ ‘)
DCserver=$(ping -c1 -n $(adinfo –server) | head -n1 | sed “s/.*(\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\)).*/\1/g”)
ADUser_Check=$(adquery user $CurrentUser | grep -c “113584762”)
FilePath=”XXX”

echo
echo ————————————Project Zero————————————
echo Current user is: $CurrentUser
echo AD User Check result is: $ADUser_Check
echo Current Wifi is: $ConnectedWIFI
echo DC server IP is: $DCserver

# Remove any previous installation files
if [ -d “$FilePath” ]; then rm -Rf “$FilePath”; fi

# Check if a user is on our WIFI network
if [ “$ConnectedWIFI” = “XXX” ] && [ “$ADUser_Check” = “1” ];
then

# Shut down Ethernet
#ethernet=$(networksetup -listnetworkserviceorder |grep ‘Hardware Port.*100\|Hardware Port.*LAN’ |grep -o ‘….$’ |cut -c 1-3)
echo
echo “~~~ Step 1 of 9 ~~~ You are on the correct WIFI, now move it as the first connection choice”
echo “Original Network Sequence Order”
echo $Ori_Network_Choice
echo networksetup -ordernetworkservices “Wi-Fi” `networksetup -listallnetworkservices | grep -v ‘An asterisk ‘ | sed s/\^’*’// | grep -v Wi-Fi | sed ‘s/.*/\”&\”/’ | tr ‘\n’ ‘ ‘` | bash
echo
echo “New Network Sequence Order”
networksetup -listallnetworkservices
sleep 5

# Check if can contact our Domain Controller
echo
echo “~~~ Step 2 of 9 ~~~ Ping our DC”
ping -c1 -W1 -q $DCserver &>/dev/null
status=$( echo $? )
if [ $status -ne 0 ] ; then
echo “Not on Zalando_Air”
mv “$FilePath”/project_zero.txt “$FilePath”/X_wifiwrong.txt
exit 1 # exit code needed
fi

# Uninstall Centrify
echo
echo “~~~ Step 3 of 9 ~~~ Uninstall Centrify”
/usr/local/share/centrifydc/bin/uninstall.sh -n -e

# Delete Old Centrify Certificates
echo
echo “~~~ Step 4 of 9 ~~~ Removing old Certificates”
a=$(hostname -s)
b=”.your.ad”
security find-certificate -c $a$b -a -Z | \
awk ‘/SHA-1/{system(“security delete-certificate -Z “$NF)}’

# Bind to AD
echo
echo “~~~ Step 5 of 9 ~~~ Bind to AD”
jamf policy -event bind -verbose

# Migrate user account to AD
#echo
echo “~~~ Step 6 of 9 ~~~ Migrating account”
echo ” Skipping this part, no need ”
#dscl . delete /Users/$CurrentUser
# chown -R $CurrentUser:Your_AD_ID /Users/$CurrentUser/
# chown -R $CurrentUser /Users/$CurrentUser/

# Install Configuration Profile
echo
echo “~~~ Step 7 of 9 ~~~ Installing profile”
/usr/bin/profiles -I -F /X/X.mobileconfig

# Revert Back to Original Network Sequence Order
echo
echo “~~~ Step 8 of 9 ~~~ Revert Back to Original Network Sequence Order, and Check Internet Access”
echo networksetup -ordernetworkservices $Ori_Network_Choice | bash
echo “Now the network sequence order is ”
networksetup -listallnetworkservices

echo “Check for Internal Access”
sleep 5
ping -c1 -W1 -q $DCserver &>/dev/null
status=$( echo $? )
if [ $status -ne 0 ] ; then
echo “Migration Failed, Cannot connect to DC”
mv “$FilePath”/X.txt “$FilePath”/X_failed.txt
exit 3 # exit code needed
fi

# Remove temp file
echo
echo “~~~ Step 9 of 9 ~~~ Finished, record the result and removing temp file”
mv “$FilePath”/X.txt “$FilePath”/X_finished.txt
rm “$FilePath”/X.mobileconfig
else
# If not on our WIFI network, exit
echo “Not on the right Wifi or is not an AD user, exit”
exit 0

fi

12-12-2017 |

How to Troubleshoot 802.1x Mac Authentication Issues

It is quite complex to troubleshoot 802.1x authentication issues for Mac. Here are a few sections you can look for errors:

1. RADIUS Server Log

This is the most convenient and efficient way to troubleshot 802.1x issues . Just send Mac address to your network engineer and ask for the authentication log 🙂

If you just use FQDN_computername, it will fail for sure

The correct name should be computername$

Or you can use host/FQDN_computername

 

2. EAPOLClient Log

If you cannot find your network engineer easily, here is the perfect log to troubleshoot for you. Just open terminal and use this command will show you the last 5minute mac authentication log:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int -1

log show –style syslog –predicate ‘processImagePath contains “eapolclient” and subsystem contains “com.apple.eapol”‘ –last 30m > ~/Desktop/eapolclient.log

You will get this if someone remove the network configuration profile:

You will get this if your network identity preference is not correctly linked to your mac client certificate:

Your EAP Response Identity should be computername$ or host/FQDN_computername

3. Keychains

 

You should have these items inside your Keychain:

  1. Identity Preference for Wifi under your “login” folder

2. Identity Preference for Ethernet under “System”

3.802.1x Password for WIFI under “System”

3. 802.1x Password for ethernet under “System”

4. Root CA certificate

 

 

 

4. Configuration Profile Installation Issues

If you see this message when trying to install the configuration profile:

The ‘Active Directory Certificate’ payload could not be installed. The certificate request failed.

Enable the log mode and then check from there:

sudo defaults write /Library/Preferences/com.apple.MCXDebug debugOutput -2
sudo defaults write /Library/Preferences/com.apple.MCXDebug collateLogs 1

And then check log from /Library/Logs/ManagedClient/ManagedClient.log

 

If everything is fixed, you should able to see these from your network connection:

 

11-07-2017 |

802.1X Network Authentication for Mac

Cannot believe I spent so much time just to figure out how to do 802.1x network authentication for Mac 🙂

So for managing macs, we have two ways of setup 802.1x, one is using Apple Profile Manager to create a configuration profile, and the other way is to use Casper configuration profile.  From the internet, it seems Casper profile has some issues with ethernet profile, so I decided to use the Apple Profile Manger from the Server app.

However no matter what settings I make, it always turned out like this when I install the profile on a test mac:

So I have to choose the Casper configuration route. However if you are using Apple Profile Manager, here is a few points maybe helpful to you:

  1.  On the Certificate Server, you have to type something like this: https://FQDN/certsrv
  2.  The username you use to authenticate with RADIUS server, it can be %ComputerName%$,

Here are a few articles are talking about this method:

https://support.apple.com/en-us/HT204602

https://kevinbecker.squarespace.com/blog/2015/03/26/mac-os-x-wpa2-enterprise-authentication-using-a-microsoft-ca-part-2-2

 

Ok, now let’s talk about doing 802.1x authentication using Casper’s configuration profile.  Here are the settings from my environment:

  1. Upload your root CA certificate on the Certificate Tab;
  2. Setup your AD certificate to acquire your client certificate for your mac;
    2.1 Certificate Authority just the common name of your server is fine:
    2.2 Be careful about “The name of the CA”, you can find your real CA name from this URL:
    https://support.microsoft.com/en-us/help/555529?wa=wsignin1.0%3Fwa%3Dwsignin1.0
  3. On Network tab, create two network, one for wifi, and the other for ethernet.
    it needs to be “Computer Level” under ” General” tab
    Choose the security type your environment is in, for me, it is TLS
    On the Trust tab, choose the root CA, and specify any RADIUS you need to trust, if you list *.FQDN, it will NOT work. You have to manually specify all the FQDN of your RADIUS servers.

    On the username part, it is very important, If you use $COMPUTERNAME like Casper said, it will come out as name.domain.net, however for our RAIDUS server to be recognize, it needs to be something like name$, so we have to use %AD_ComputerID%.

    And then you do the same for ethernet. Some people prefer to create two separate configuration profiles, one for wifi, and the other for ethernet. I did that before, and then found out I will have two same client machine certificate, so I decided to put into one to avoid confusions.

3. If you think you are done, that is far too easy 🙂

If you install the configuration profile, you will see the ethernet will work well, however the wifi won’t work ( in my case, the wifi won’t associate my client machine certificate, so I have to manually link them together).

Here is my script to do a manual configuration profile install and then link them together:

#!/bin/sh

a=$(hostname -s)
b=”.your.domain.name”

/usr/bin/profiles -I -F /private/tmp/network.mobileconfig
security set-identity-preference -c $a$b -s com.apple.network.eap.user.identity.wlan.ssid.”your wifi name”

 

Ok, now you should be all set with 802.1 network authentication for your macs 🙂

11-06-2017 |