<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">andy<div class=""><br class=""></div><div class="">like you, we’ve used loginhook to remove the executable bits from</div><div class=""><div dir="ltr" class=""><div class="">/System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient</div></div></div><div class=""><br class=""></div><div class="">in the event that the above hack were to fail (ie. OS X 10.11 SIP), we also do the following in loginhook:</div><div class=""><div class=""><br class=""></div><div class=""># disable 802.1X autoconnect for user. This will suppress eapolcontrol prompts if eapolclient were ever re-enabled</div><div class="">echo "Disabling 802.1X autoconnect ($1)"</div><div class="">su - "$1" -c "defaults -currentHost write com.apple.network.eapolcontrol EthernetAutoConnect -bool false”</div><div class=""><br class=""></div><div class="">i haven’t tested this under OS X 10.11. i can imagine a scenario where eapolclient starts before the loginhook command executes for FRIST TIME user.</div><div class=""><br class=""></div><div class="">as for your last question: that is a question for IST. in my experience it *is* disabled on some switches but not others.</div><div class=""><br class=""></div><div class="">ciao</div><div class="">dk</div><div class="">
<span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px;"><br class="">|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||<br class="">duncan kincaid<br class="">cron | mit school of architecture and planning<br class=""><br class=""><br class=""><br class=""></span>
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Dec 28, 2015, at 10:34 AM, Andy McPherson <<a href="mailto:andymcp@mit.edu" class="">andymcp@mit.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div dir="ltr" class="">In the past, I've had a big problem with our shared classroom computers prompting users to login via 802.1x and after users attempt to do so it endlessly attempts to auto connect and disables all network access. I can temporarily disable this by following these steps: <a href="http://kb.mit.edu/confluence/display/istcontrib/Prevent+Mac+OS+X+10.7+and+above+from+trying+to+connect+to+MIT%27s+802.1x+network+when+using+a+wired+connection" class="">http://kb.mit.edu/confluence/display/istcontrib/Prevent+Mac+OS+X+10.7+and+above+from+trying+to+connect+to+MIT%27s+802.1x+network+when+using+a+wired+connection</a><div class="">but the issue always comes back after restarts and I have many different users logging into the same workstations.<br class=""></div><div class=""><br class=""></div><div class=""> I got around this in 10.10 by running this: chmod 644 /System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient</div><div class=""><br class=""></div><div class="">but it won't work in 10.11 due to the new System Integrity Protection feature.</div><div class=""><br class=""></div><div class="">Any ideas on a workaround? Also, why does this 802.1x prompt occur in the first place and can it be disabled on a switch level?</div><div class=""><br class=""></div><div class="">Regards,</div><div class="">Andy</div><div class=""><span style="color:rgb(153,153,153)" class=""><br class=""></span></div><div class=""><span style="color:rgb(153,153,153)" class="">Andy McPherson</span></div><div class=""><div class="GmSign"><div dir="ltr" class=""><p class=""><font color="#999999" class=""><span style="font-size:12.8px" class="">Systems Administrator</span></font></p><p class=""><span class=""><img src="https://mitgsl.mit.edu/sites/all/themes/mit_gsl_theme/logo.png" class=""><br class=""></span></p><p class=""><font color="#999999" class=""><span class="">77 Massachusetts Ave., 14N-308, Cambridge, MA 02139<br class=""></span><span style="font-size:12.8px" class=""><a href="mailto:andymcp@mit.edu" target="_blank" class="">andymcp@mit.edu</a></span><span style="font-size:12.8px" class=""> | p: 617.253.9776 | f: 617.258.6189</span></font></p><div class=""><span class=""></span><br class="webkit-block-placeholder"></div></div></div></div></div>
_______________________________________________<br class="">Macpartners mailing list<br class=""><a href="mailto:Macpartners@mit.edu" class="">Macpartners@mit.edu</a><br class="">http://mailman.mit.edu/mailman/listinfo/macpartners<br class=""></div></blockquote></div><br class=""></div></body></html>