Configuring OS X 10.5 for 802.1x

Apple recently came out with their own doc for wireless connectivity using 802.1x

Thanks go out to Kirk at kkheconsulting for the update.


Windows 7 x64

So I went ahead and installed the public Windows 7 beta (x64)…

Nice easy install with minimal prompting.  Some quick noticeable points: UAC now has a few levels of interaction which is a nice change and the start menu is has a little bit of the usefull feel of xp thrown back into it.

My $10 usb 802.11g (realtek based) device was an immediate need so I did a quick search for drivers and couldn’t find anything that was signed (win7 requires signed drivers for everything) and the audio on my board (an Asus A8NSLI Premium) was not intalled properly.  Asus did have 64bit drivers on their website for my ‘older’ board.

So I broke down and drug a patch cable to my router and ran software updates which, in the end, made me all happy again because the drivers for both wireless and audio were available so I can also listen to music again. yea, no patch cord running across the room.

64bit freeware:
Web browser – Firefox – There are issues with running a 64bit browser such as no flash player available, roboform and other 32bit apps will not hook into it.  If you use a 64bit browser, you
Firewall – Comodo Internet Security ( has been winning awards for a while now and has good control for those that wish to delve into it.  For a ‘easy’ firewall with no HIPS, I have seen recommendations for Vista firewall Control (
Antivirus – Comodo Internet Security (same package as firewall).  If you don’t want to run both antivirus and firewall from Comodo, you can simply choose not to install one or the other.  My 2nd choice for antivirus would have been Avast Home Ed. It’s not a true 64bit app, but the kernel level drivers are 64bit –
Defragger – JKDefrag which can alse be run as a portable app –
Archiver – PeaZip (  PeaZip has a more familiar gui.  A good alternative would be 7zip (

Add a printer via terminal or applescript

Using terminal:

/usr/sbin/lpadmin -p tms-copier-room18-01 -E -v lpd://tms-copier-room18-01 -P /Library/Printers/PPDs/Contents/Resources/en.lproj/CNR5050X1.PPD.gz -o printer-is-shared=false -D “tms-copier-room18-01 (Office)”

In Applescript you’ll need to use double quotes, etc.

do shell script “/usr/sbin/lpadmin -p tms-copier-room18-01 -E -v lpd://tms-copier-room18-01 -P /Library/Printers/PPDs/Contents/Resources/en.lproj/CNR5050X1.PPD.gz -o printer-is-shared=false -D ”tms-copier-room18-01 (Office)”“

If you have spaces in the driver name or elsewhere, be sure to preface them with a space. The below example uses a fictitious canon imagerunner example (the real ppd is not named as such)

do shell script “/usr/sbin/lpadmin -p Canon_Imagerunner -E -v lpd://tms-copier-room18-01 -P /Library/Printers/PPDs/Contents/Resources/en.lproj/Canon Imagerunner 4100.gz -o printer-is-shared=false -D ”tms-copier-room18-01 (Office)”“

to delete a printer, use the -x command.

/usr/sbin/lpadmin -x “name of printer”

Be sure to checkout the full list of options via the lpadmin man page.  From terminal:

man lpadmin

and remember, the do shell script command uses sh as the default shell, not bash.

Firefox GPO’d

Frontmotion Firefox CE (Community Edition) is a re-branded version of firefox.  The original binaries are used but some preferences and other items are altered.  In order to stay within Mozilla Firefox’s licensing, they had to change the icon and name.  Basically, Mozilla Firefox has been repackaged as an MSI and some changes made to allow Group Policy templates to be used.

Updates to FM FirefoxCE and the mozilla.adm are available at:

Basic GPO settings via the administrative template are set as follows:  Disable auto update, prompt for location to save downloads , disable check for default browser, & set the homepage.  These are locked settings and cannot be edited by the user.

802.1x Setup – Article Links

WPA Enterprise setup (aka, wpa peap)
1hr setup for PCs and Macs.  It doesn’t go 100% in depth, but enough to get things going in a basic fashion.

Part 1
Part 2

Using PEAP for Wireless Auth

Wireless SSO (Single Sign On) –

Integrating OS X Server into an AD Environment

Server Setup

Install Leopard Server in Advanced Mode as a Standalone Server.

Server Admin: Add wanted services, configure, and start them (specifically SMB)

Directory Utility: Bind to Domain

  • Added AD Domain under the Directory Servers tab/icon and the binding to AD happened automatically under the Services icon/tab.
  • Advanced options: Use UNC path from AD using SMB
  • Default user shell: /bin/bash

Server Admin:

  • Enable Open Directory
  • Change settings of Open Directory: Promote the server to an OD Master.

Directory Utility: set the proper search order

  • Search Policy: Drag AD to be above the local ldap policy.  You can do the same for the Contacts Search order.

:: Adding management functions in OD to work with the AD groups ::

Open WGM (WorkGroup Manager) and login as the Directory Administrator (diradmin)

  • Greate a new Group and call it OD_Managed or similar (ie, school_staff, school_students)
  • Add new members: in the sidebar, switch the directory to AD and
    then click the groups icon.  Drag the appropriate AD container to the
    members window.
  • Set preferences for the group

Using MS ADUC, set the home directories for the users.. note that
you can setup and turn on SMB on the OS X Server, and point the users
home directories (via AD) to the leopard server’s smb share.

What you end up with is AD accounts mapped to their homedir with MCX policy enforcement.

Client setup

...coming soon…

Manual bind on client: Using Directory Util, bind to the new OD
Master server then bind to AD.  Place AD above OD in the search order.

login as test user…

Configure Leopard for a different Software Update Server


To configure a Mac running OS X 10.5 (Leopard) to connect to a local Apple Software Update server, simply use the following command, where servername is the name of your local server that runs Software Update.

defaults write /Library/Preferences/ CatalogURL http://servername:8088/

If you have any problems, verify that you can see the update server by accessing the following URL from the client’s web browser:

If you don’t see an XML-type page come up, you should verify that the Software Update service is running on the server, and that port 8088 is properly configured to allow traffic on your network.

Ramblings from a SysAdmin/Tech