[Macpartners] 802.1x Authentication
Andy McPherson
andymcp at mit.edu
Tue Dec 29 13:32:50 EST 2015
Duncan,
I generally opt for the simplest solutions (e.g. managing loginhooks via
Casper) but unfortunately it does appear that eapolclient does launch
before the loginhook executes.
I've contacted the IS&T network team about the issue. While I am certainly
a network engineer, I don't consider this type of behavior acceptable on an
enterprise LAN. I'd rather not have to send out e-mails to my users saying
"Anytime you see this box asking for your username and password please
click "Cancel" otherwise the internet won't work"
I'll go ahead and give Patrick's solution a shot and see if that takes care
of it...
Thanks for everyone's help!
Regards,
Andy
Andy McPherson
Systems Administrator
77 Massachusetts Ave., 14N-308, Cambridge, MA 02139
andymcp at mit.edu | p: 617.253.9776 | f: 617.258.6189
On Mon, Dec 28, 2015 at 12:47 PM Duncan S Kincaid <dsk at mit.edu> wrote:
> andy
>
> like you, we’ve used loginhook to remove the executable bits from
>
> /System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient
>
> in the event that the above hack were to fail (ie. OS X 10.11 SIP), we
> also do the following in loginhook:
>
> # disable 802.1X autoconnect for user. This will suppress eapolcontrol
> prompts if eapolclient were ever re-enabled
> echo "Disabling 802.1X autoconnect ($1)"
> su - "$1" -c "defaults -currentHost write com.apple.network.eapolcontrol
> EthernetAutoConnect -bool false”
>
> i haven’t tested this under OS X 10.11. i can imagine a scenario where
> eapolclient starts before the loginhook command executes for FRIST TIME
> user.
>
> as for your last question: that is a question for IST. in my experience it
> *is* disabled on some switches but not others.
>
> ciao
> dk
>
>
> |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> duncan kincaid
> cron | mit school of architecture and planning
>
>
>
>
> On Dec 28, 2015, at 10:34 AM, Andy McPherson <andymcp at mit.edu> wrote:
>
> In the past, I've had a big problem with our shared classroom computers
> prompting users to login via 802.1x and after users attempt to do so it
> endlessly attempts to auto connect and disables all network access. I can
> temporarily disable this by following these steps:
> http://kb.mit.edu/confluence/display/istcontrib/Prevent+Mac+OS+X+10.7+and+above+from+trying+to+connect+to+MIT%27s+802.1x+network+when+using+a+wired+connection
> but the issue always comes back after restarts and I have many different
> users logging into the same workstations.
>
> I got around this in 10.10 by running this: chmod 644
> /System/Library/SystemConfiguration/EAPOLController.bundle/Contents/Resources/eapolclient
>
> but it won't work in 10.11 due to the new System Integrity Protection
> feature.
>
> Any ideas on a workaround? Also, why does this 802.1x prompt occur in the
> first place and can it be disabled on a switch level?
>
> Regards,
> Andy
>
> Andy McPherson
>
> Systems Administrator
>
>
> 77 Massachusetts Ave., 14N-308, Cambridge, MA 02139
> andymcp at mit.edu | p: 617.253.9776 | f: 617.258.6189
>
> _______________________________________________
> Macpartners mailing list
> Macpartners at mit.edu
> http://mailman.mit.edu/mailman/listinfo/macpartners
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/macpartners/attachments/20151229/533fc1fc/attachment.html
More information about the Macpartners
mailing list