<div dir="ltr">Duncan,<div><br></div><div>I generally opt for the simplest solutions (e.g. managing loginhooks via Casper) but unfortunately it does appear that eapolclient does launch before the loginhook executes.</div><div><br></div><div>I've contacted the IS&T network team about the issue. While I am certainly a network engineer, I don't consider this type of behavior acceptable on an enterprise LAN. I'd rather not have to send out e-mails to my users saying "Anytime you see this box asking for your username and password please click "Cancel" otherwise the internet won't work"</div><div><br></div><div>I'll go ahead and give Patrick's solution a shot and see if that takes care of it...</div><div><br></div><div>Thanks for everyone's help!</div><div><br></div><div>Regards,</div><div>Andy</div><div><span style="color:rgb(153,153,153);line-height:1.5"><br></span></div><div><span style="color:rgb(153,153,153);line-height:1.5">Andy McPherson</span><div class="GmSign"><div dir="ltr"><p><font color="#999999"><span style="font-size:12.8px">Systems Administrator</span></font></p><p><span><img src="https://mitgsl.mit.edu/sites/all/themes/mit_gsl_theme/logo.png"><br></span></p><p><font color="#999999"><span>77 Massachusetts Ave., 14N-308, Cambridge, MA 02139<br></span><span style="font-size:12.8px"><a href="mailto:andymcp@mit.edu" target="_blank">andymcp@mit.edu</a></span><span style="font-size:12.8px"> | p: 617.253.9776 | f: 617.258.6189</span></font></p><p><span></span></p></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Dec 28, 2015 at 12:47 PM Duncan S Kincaid <<a href="mailto:dsk@mit.edu">dsk@mit.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">andy<div><br></div><div>like you, we’ve used loginhook to remove the executable bits from</div><div><div dir="ltr"><div>/System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient</div></div></div><div><br></div><div>in the event that the above hack were to fail (ie. OS X 10.11 SIP), we also do the following in loginhook:</div><div><div><br></div><div># disable 802.1X autoconnect for user. This will suppress eapolcontrol prompts if eapolclient were ever re-enabled</div><div>echo "Disabling 802.1X autoconnect ($1)"</div><div>su - "$1" -c "defaults -currentHost write com.apple.network.eapolcontrol EthernetAutoConnect -bool false”</div><div><br></div><div>i haven’t tested this under OS X 10.11. i can imagine a scenario where eapolclient starts before the loginhook command executes for FRIST TIME user.</div><div><br></div><div>as for your last question: that is a question for IST. in my experience it *is* disabled on some switches but not others.</div><div><br></div><div>ciao</div><div>dk</div><div>
<span style="border-collapse:separate;border-spacing:0px"><br>|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||<br>duncan kincaid<br>cron | mit school of architecture and planning<br><br><br><br></span>
</div>
<br><div><blockquote type="cite"></blockquote></div></div></div><div style="word-wrap:break-word"><div><div><blockquote type="cite"><div>On Dec 28, 2015, at 10:34 AM, Andy McPherson <<a href="mailto:andymcp@mit.edu" target="_blank">andymcp@mit.edu</a>> wrote:</div><br></blockquote></div></div></div><div style="word-wrap:break-word"><div><div><blockquote type="cite"><div><div dir="ltr">In the past, I've had a big problem with our shared classroom computers prompting users to login via 802.1x and after users attempt to do so it endlessly attempts to auto connect and disables all network access. I can temporarily disable this by following these steps: <a href="http://kb.mit.edu/confluence/display/istcontrib/Prevent+Mac+OS+X+10.7+and+above+from+trying+to+connect+to+MIT%27s+802.1x+network+when+using+a+wired+connection" target="_blank">http://kb.mit.edu/confluence/display/istcontrib/Prevent+Mac+OS+X+10.7+and+above+from+trying+to+connect+to+MIT%27s+802.1x+network+when+using+a+wired+connection</a><div>but the issue always comes back after restarts and I have many different users logging into the same workstations.<br></div><div><br></div><div> I got around this in 10.10 by running this: chmod 644 /System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient</div><div><br></div><div>but it won't work in 10.11 due to the new System Integrity Protection feature.</div><div><br></div><div>Any ideas on a workaround? Also, why does this 802.1x prompt occur in the first place and can it be disabled on a switch level?</div><div><br></div><div>Regards,</div><div>Andy</div><div><span style="color:rgb(153,153,153)"><br></span></div><div><span style="color:rgb(153,153,153)">Andy McPherson</span></div><div><div><div dir="ltr"><p><font color="#999999"><span style="font-size:12.8px">Systems Administrator</span></font></p><p><span><img src="https://mitgsl.mit.edu/sites/all/themes/mit_gsl_theme/logo.png"><br></span></p><p><font color="#999999"><span>77 Massachusetts Ave., 14N-308, Cambridge, MA 02139<br></span><span style="font-size:12.8px"><a href="mailto:andymcp@mit.edu" target="_blank">andymcp@mit.edu</a></span><span style="font-size:12.8px"> | p: 617.253.9776 | f: 617.258.6189</span></font></p><div><span></span><br></div></div></div></div></div></div></blockquote></div></div></div><div style="word-wrap:break-word"><div><div><blockquote type="cite"><div>
_______________________________________________<br>Macpartners mailing list<br><a href="mailto:Macpartners@mit.edu" target="_blank">Macpartners@mit.edu</a><br><a href="http://mailman.mit.edu/mailman/listinfo/macpartners" target="_blank">http://mailman.mit.edu/mailman/listinfo/macpartners</a><br></div></blockquote></div></div></div></blockquote></div>