[Macpartners] 802.1x Authentication

Duncan S Kincaid dsk at mit.edu
Mon Dec 28 12:47:22 EST 2015 

andy

like you, we’ve used loginhook to remove the executable bits from
/System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient

in the event that the above hack were to fail (ie. OS X 10.11 SIP), we also do the following in loginhook:

# disable 802.1X autoconnect for user. This will suppress eapolcontrol prompts if eapolclient were ever re-enabled
echo "Disabling 802.1X autoconnect ($1)"
su - "$1" -c "defaults -currentHost write com.apple.network.eapolcontrol EthernetAutoConnect -bool false”

i haven’t tested this under OS X 10.11. i can imagine a scenario where eapolclient starts before the loginhook command executes for FRIST TIME user.

as for your last question: that is a question for IST. in my experience it *is* disabled on some switches but not others.

ciao
dk

|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
duncan kincaid
cron | mit school of architecture and planning




> On Dec 28, 2015, at 10:34 AM, Andy McPherson <andymcp at mit.edu> wrote:
> 
> In the past, I've had a big problem with our shared classroom computers prompting users to login via 802.1x and after users attempt to do so it endlessly attempts to auto connect and disables all network access. I can temporarily disable this by following these steps: http://kb.mit.edu/confluence/display/istcontrib/Prevent+Mac+OS+X+10.7+and+above+from+trying+to+connect+to+MIT%27s+802.1x+network+when+using+a+wired+connection <http://kb.mit.edu/confluence/display/istcontrib/Prevent+Mac+OS+X+10.7+and+above+from+trying+to+connect+to+MIT%27s+802.1x+network+when+using+a+wired+connection>
> but the issue always comes back after restarts and I have many different users logging into the same workstations.
> 
>  I got around this in 10.10 by running this: chmod 644 /System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient
> 
> but it won't work in 10.11 due to the new System Integrity Protection feature.
> 
> Any ideas on a workaround? Also, why does this 802.1x prompt occur in the first place and can it be disabled on a switch level?
> 
> Regards,
> Andy
> 
> Andy McPherson
> Systems Administrator
> 
> 
> 
> 77 Massachusetts Ave., 14N-308, Cambridge, MA 02139
> andymcp at mit.edu <mailto:andymcp at mit.edu> | p: 617.253.9776 | f: 617.258.6189
> 
> 
> _______________________________________________
> Macpartners mailing list
> Macpartners at mit.edu
> http://mailman.mit.edu/mailman/listinfo/macpartners

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/macpartners/attachments/20151228/26978c7c/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1840 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/macpartners/attachments/20151228/26978c7c/attachment.bin

More information about the Macpartners mailing list