All, I used the iPhone configuration utility to create a .mobileconfig file, as recommended by apple. Upon double-clicking, it prompts to install the profile, and you can optionally enter a username and password at that time. Either once you enter those and finish profile installation, or if you skip entering there and later enter username and password connecting, either way an entry is added to the keychain. THEN, if the user changes their password, that keychain entry is still there and is used, continuously failing auth. Only workaround I've found is to delete the keychain, which results in user prompted for username and password, at which point a new keychain item is created.
I think this is more of a keychain behavior problem.....or just a WiFi problem on the Apple. Regardless, the Mac supplicant's behavior should not try and be stubbornly using wrong credentials over and over. "That password didn't work?! Hmm. Maybe I should try it again. Didn't work again? Hmm. Maybe I should try it again. Dang! How about now? no!? Hmm.... Now?......" At this point, Xpressconnect is not an option for us. Also, we can't not do 802.1X. Right now, the only I do I have is bold face text on the WebUI where users change their password stating that Mac users *must* delete their keychain, etc. Additional ideas? =========== Ryan Holland On Aug 5, 2011, at 11:06 AM, "Palmer IV, Daniel" <dbpa...@emory.edu<mailto:dbpa...@emory.edu>> wrote: That was going to be my point. That profile can be for the user or for the machine. We are using a user based profile that we modify via script and "slurp" in to create our connection. (Cannot say which id is being used to validate though, have not had time to test that). dp Daniel Palmer University Technology Services (UTS) Emory University Atlanta, GA 30322 404.727.5297 (office) 404.213.1643 (mobile) From: David Blahut <<mailto:dabla...@vassar.edu>dabla...@vassar.edu<mailto:dabla...@vassar.edu>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Fri, 5 Aug 2011 11:00:24 -0400 To: <<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets Great question, I was surprised to not see the + in the 802.1X window. When I associated to the secure SSID a dialog box popped up asking for username and password. I think the credentials are added to the keychain at that point. You can also use Lion server to create a profile. I haven’t tested this but more information can be found here: <http://support.apple.com/kb/HT4772> http://support.apple.com/kb/HT4772 -d From: The EDUCAUSE Wireless Issues Constituent Group Listserv [<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Palmer IV, Daniel Sent: Friday, August 05, 2011 9:43 AM To: <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets In your test machine… How did you create your 802.1x profile? dp Daniel Palmer University Technology Services (UTS) Emory University Atlanta, GA 30322 404.727.5297 (office) 404.213.1643 (mobile) From: David Blahut <<mailto:dabla...@vassar.edu>dabla...@vassar.edu<mailto:dabla...@vassar.edu>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Fri, 5 Aug 2011 09:13:43 -0400 To: <<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets I did some Lion testing yesterday on our 802.1X secured SSID and discovered the following while watching the RADIUS logs: The laptop had two accounts set up on it, mine and another ‘tester’. If you simply switched users the machine would reauthenticate but still use the other username/password (the account switching from). If the laptop was restarted or shut down and started back up the correct username/password would be used to log into the wireless no matter what user was logged in when the restart was initiated. I don’t necessarily think this is a big problem in our environment but I can see where it could be in others. -d From: The EDUCAUSE Wireless Issues Constituent Group Listserv [<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Holland, Ryan C. Sent: Thursday, August 04, 2011 5:01 PM To: <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] MacOS Lion & Wireless Password Resets I have finally got my hands on MacOS 10.7 (lion) and have started running it through wireless tests. One item I find very worrisome is this: - Via WPA2-Enterprise (PEAP/MSCHAPv2), I connect to the SSID using username & password1; these credentials are then stored in the keychain - If I change my password to, say, "password2", then the next time I connect, the Mac fails authentication It seems that the Mac, if failing authentication, never prompts for the username & password to be reentered. Our university is soon to roll-out and enforce a 90-day password policy, and I am concerned that users will be unable to authenticate and forced to remove the password from their keychain. Have any of you run into this similar issue? If so, how do handle this behavior? (I don't recall it being this way in MacOS 10.6 or 10.5) ========== Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 <mailto:holland....@osu.edu> holland....@osu.edu<mailto:holland....@osu.edu> Submit a Kudos to an OCIO employee!<http://www.surveygizmo.com/s/514095/giveociokudos> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ________________________________ This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ________________________________ Spam<https://antispam.osu.edu/b.php?i=1235685180&m=8c39183215b1&c=s> Not spam<https://antispam.osu.edu/b.php?i=1235685180&m=8c39183215b1&c=n> Forget previous vote<https://antispam.osu.edu/b.php?i=1235685180&m=8c39183215b1&c=f> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
