Posted: January 6th, 2011 | Author: Godwin | Filed under: freeRADIUS, Mac | Tags: 10.6, certificate, Certificate Authority, freeradius, Mac, MacOS, MacOSX, request, sign, TLS, WPA2 Enterprise | No Comments »
Apple’s documentation for TLS access is rather thin on how to use generate certificates etc. for freeRADIUS. Here are some quick instructions.
First, the guest machine must generate a certificate request.
- Go to Applications -> Utilities -> Keychain Access
- Under Keychain Access -> Certificate Assistant -> Request a Certificate from a Certificate Authority…
- Fill in the info, give them your CA Email Address (the one that is in your ca.cnf file)
- Either Save or Email (however if a guest is visiting your house and doesn’t have wifi nor cell access, it could be a problem!).
- Once you have transfered the request to your server issue the command (substitute guestname with what ever you like, in my guest.cnf, I have set the lifetime of the certificate to 1 day:
openssl ca -config guest.cnf -policy policy_anything -out guests/guestname.crt -extensions xpclient_ext -extfile xpextensions -infiles guestname.crt
- Return the ca.crt (if your guest is a frequent visitor or a close friend) and guestname.crt
Setup 802.1X or WPA2 Enterprise access on the guest’s machine:
- Open Keychain Assistant (if you have closed it)
- Click the user’s keychain, if the padlock is closed, click on it.
- Drag the certificates generated above into the keychain
- Optionally: Click on the Trust tab and select Always Trust (Assuming you do no evil!)
- Quit Keychain Assistant
- Open Preferences -> Network
- Select Airport -> Advanced..
- Select 802.1X tab
- Create a new User Profile via the + icon on the lower left hand corner of the window.
- Give the profile any name you like
- Check the TLS box under Authentication
- Click on Configure Trust
- Select the Certificates tab
- On the lower left hand corner, click on the + and select Select Certificate From Keychain
- Click OK and the window will close
- Select the SSID from the Wireless Network: drop down list
- Select WPA2 Enterprise from the Security Type: drop down list
- Click OK and you will be back in the Network window
- The profile name should appear now next to 802.1X
- Click on Turn Airport On
- The 802.1X should automatically connect, if not click on the Connect button
- To disconnect, click on Disconnect or Turn Airport Off.
Additional Reading:
Apple’s Resources with pretty pictures.
Posted: December 5th, 2010 | Author: Godwin | Filed under: launchctl, Mac | Tags: 10.5, 10.6, Agents, Daemons, LaunchAgents, launchd, LaunchDaemons, launchtctl, loads, MacOSX, MacOSX 10.5, MacOSX 10.6, plist, stdout, sterr, unloads | No Comments »
launchctl allows users to start / stop applications that is typically processed via launchd. (MacOS’s equivalent of cron).
launchctl command configurations are stored as XML formatted .plist files located in directories /System/Library/LaunchAgents or /System/Library/LaunchDaemons for system wide start items, for user specific items the plist files are stored in ~/Library/LaunchAgents or ~/Library/LaunchDaemons directories.
Agents or Daemons?
An agent is a program that requires access to specific users’ information. A daemon is a program that runs in the background and requires generally no input from any user.
For more a comparison between Agents and Daemons refer to this Apple technote.
What is in a .plist?
A .plist file must contain at the very least the keys Label, ProgramArguments array and a key to tell launchd how the application is run eg KeepAlive, RunAtLoad for one time operations. or StartonMount, StartInterval, StartCalendarInterval for repeating occurrences.
A complete dictionary of all the property keys can be found here. A few things it can do is to monitor modified paths (via the key WatchPath), HardResourceLimits etc.
Here is an example for com.companyname.agentorapplicationname.plist, which runs the application full/path/to/binary every 60 seconds:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| < ?xml version="1.0" encoding="UTF-8"?>
< !DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" \
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.companyname.agentorapplicationname</string>
<key>ProgramArguments</key>
<array>
<string>/full/path/to/binary</string>
<string>-firstargument</string>
<string>valueoffirstargument</string>
<string>-secondargument</string>
<string>valueofsecondargument</string>
</array>
<key>StartInterval 60</key>
<true />
</dict>
</plist> |
launctl operations
Command |
Description |
launchctl list |
Lists the PID, status and name of loaded processes |
launchctl list com.com.exampleco.eg |
Output the runtime information (eg. PATH) of com.exampleco.eg |
launchctl start com.exampleco.eg |
Starts com.exampleco.eg |
launchctl stop com.exampleco.eg |
Stop com.exampleco.eg |
launchctl loads -w /path/example.plist |
Loads a process by its plist filename |
launchctl unloads /path/example.plist |
Stop and unload a process by its plist filename |
submit -l labelname -p /path/eg/binary -o /path2/stdout -e /path2/sterr |
Manually run binary under the label labelname with to specified stdout and sterr devices/files |