.. partial notes..
- Laptop built using district build 34 and all updates to 10.5.6 (including sw).
- bound to AD
- 802.1x configuration created as a Login Window Profile with blank username/password for the district wireless network
- dc1 cert stored in keychain as part of a default Login profile.
- Enabled network connection radiobutton/icon for the login window. It is configured in /Library/Preferences/com.apple.loginwindow, the option is AdminHostInfo = DSStatus. It can be set in Terminal via:
defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus
The account appears as Networked, Managed on my currrent build-box.
I’m not sure yet why it’s appearing as a Managed account as the
username tested is only in domain users and not one of the groups
managed via OD.
- /Library/Preferemces/edu.mit.Kerberos – shows last BINDing
- open keychain, create new kerberos ticket to verify secure connection capability.
- /library/preferences/com.apple.loginwindow.plist — shows exported/current 802.1x config
Login Window Mode: This mode is called Login Window because the 802.1X session originates from the login window using credentials entered at the login window. The same credentials are used to both authenticate to the network and authenticate the user to a directory service.
At the login screen, one enters a name and password. If LoginWindow can’t find a local user account with that name, it initiates an 802.1X session using the same name and password and in the case of an 802.11 network, it associates to the wireless network. After the 802.1X authentication completes, LoginWindow authenticates the user against the directory service. If that authentication succeeds, the user is logged in.
When the user logs out, LoginWindow checks whether the 802.1X session is one that it started, and if so, it stops the 802.1X session, and if an 802.11 network, disassociates from the network.
If no one is logged in, no 802.1X session is running, and no 802.11 network will be joined. The Mac is not available on the authenticated network.
If a laptop is bound to both ad and od, any Domain Users account may
login so long as Dial-In is allowed (and not following the current NPS
settings). The user account does not receive any mappings and has full
use of the system as a standard user.