Setting up 802.1x authentication for wireless classroom Macs
This document explains how to connect a wireless classroom Mac (e.g., wireless laptop cart iBook, or Neuroscience iMac station) running Mac OS X 10.4 with an unprivileged "student" account to the PennKey-based AirSAS system.
The main design requirement is that the student PennKey information (at least the password) is removed after a reboot, closing the laptop screen, a period of inactivity, or after sleep state, so that the workstation requires re-authentication with new PennKey credentials before rejoining the campus network.
These settings have been tested within a Mac OS X 10.4.6 environment. While in theory Mac OS X 10.3.9 could be made to behave similarly by using the wakeup script to edit the per-host com.apple.NetworkConnect.*.plist file, it does not appear to be straightforward where the end user would go to enter new credentials afterwards.
- Adding the 802.1x (AirSAS) profile
- Installing SleepWatcher
- Adding the .wakeup script
- Setting the user inactivity timing preference
Adding the 802.1x (AirSAS) profile
Pull down the AirPort menu and select Open Internet Connect...:
Add a New 802.1X Connection... from the File menu:
Click once on the 802.1X button in the Internet Connect window toolbar:
Click on Other and select Edit Configurations...
Change the description to AirSAS, choose airsas as the wireless network, add a valid PennKey username and password, and disable all authentication methods but TTLS.
Click once on Configure... for the TTLS method, choose PAP as the inner authentication method, and enter anonymous for the outer identity:
Click OK to get to the following screen. Click Connect to proceed:
Click on Show Certificate to view the RADIUS certificate:
Place a checkmark next to the Always trust these certificates item. Click Continue to proceed:
Click on Connect to establish a wireless connection:
Installing SleepWatcher
Download the SleepWatcher disk image. Open the image, if necessary, and double-click on the SleepWatcher StartupItem and sleepwatcher installers. Reboot after both items are installed.
Adding the .wakeup script
The contents of the "wakeup" script are executed when the computer is woken from sleep. We add commands to close the account session and log out.
Open the Terminal.app utility — type in the following (replace "bioadmin" with your administrative username):
login bioadmin; sudo pico /usr/bin/pidof
Enter the administrative password and add:
#!/bin/sh
ps axc|awk "{if (\$5==\"$1\") print \$1}"|tr '\n' ' 'Save this document. Close the Terminal session and reopen a new Terminal session. Type in the following:
touch .wakeup; chmod +x .wakeup; pico .wakeup
Add:
set $1 `/usr/bin/pidof loginwindow`
kill $1Save the file and leave pico. Type the following:
login bioadmin; sudo chown bioadmin .wakeup; exit
Enter the administrative password. This change of ownership ensures that the guest-level user cannot edit the wakeup script.
Set user inactivity timing system preference
Open System Preferences:
Click once on Security:
Click once on the padlock and authenticate:
Change the inactivity timing of the "Log out after _ minutes of inactivity", e.g. 120 minutes:
Click again on the padlock to lock the setting in place:
Restart the computer and test for sleep and inactivity response with a "student"- or "guest"-level account. Manually put the computer to sleep (either by closing the laptop lid or pressing the power button) to ensure the following step is occuring.
On the "re"-login, the laptop should attempt to connect to the AirSAS network and users should see the following dialog:
While not very exciting, users enter their PennKey username and password into these fields and click OK, in order to re-establish an authenticated 802.1x connection.
