OSX 10.10 802.1x Profiles

DISCLAIMER: Playing with system configuration data and removing files is dangerous and presents a risk to your system, only attempt this fix at your own risk, any consequences are on your head

Recently I have had to start replacing a number of certificates used for wireless authentication on a RADIUS/802.1X authenticated wireless network at a number of clients, and for the most part it has gone smoothly (but this does not make for a good blog post now does it). There have however been issues with a number of OS X based devices, and more specifically devices that have gone through a number of in place upgrades since the system profile was installed.

These systems have all had a number of in place upgrades over the years from either OS X 10.6 given their age and as such there are now issues removing these 802.1X profiles.

To understand why this is happening, a little background on how the profiles were managed previously and are managed now is in order.

In 10.6 and prior an 802.1X profile was added (+) or removed (-) through the 802.1X tab in the Advanced settings on the interface (in this case WiFi/Airport)

OSX-10.6-802.1X-ShowButtons

In 10.7 and later these buttons have been removed

OSX-10.10-802.1X-NoButtons

With 10.7 to manage these profiles a new System Preferences option was added, it is called simply “Profiles”.

OSX-10.10-SystemPreferences-ProfileManager-Highlighted

Now whilst this is not an issue for most cases, unless a profile has been added since the upgrade, it does not appear in the Profiles pane, and therefore the Profiles pane does not show in the System Preferences menu.

This leaves us with a profile we cannot remove due to the lack of buttons in the 802.1X tab on the interface, and no Profiles pane accessible (due to no registered profiles) in the System Preferences tab

OSX-10.10-802.1X-NoButtons

OSX-10.10-SystemPreferences-NoProfilesManager

So how do we remove it? through the venerable and all powerful command line interface (Terminal).

First you need to know the location of the system configuration profiles which is the directory /Library/Preferences/SystemConfiguration.

Now this is where I can only guide you, I did this operation in the opposite order to what is outlined here due to the fact that I did the second part first and it did not remove the profile, therefore I do not know if its required or not to remove the profile, try running the first remove before removing the other two files.

The profile information seems to be stored in the file com.apple.network.eapolclient.configuration.plist within the system configuration directory, so to remove it we want to run the following command

 sudo rm /Library/Preferences/SystemConfiguration/com.apple.network.eapolclient.configuration.plist 

This will prompt you for a password if you have not authorized to sudo yet/recently (it has a timeout of 5 minutes), enter your password, hit enter and it will remove the file, now reboot OS X (yes this is required) and the profile SHOULD be removed.

OSX-10.10-802.1X-NoProfile

NOTE: Adrian Stevenson left a comment on the 13th of October 2015 stating that the above file is the only required to remove the profile, based upon this, the information below is not relevant to solving this issue, I have however left it so the article still contains all its original information

Further to this Kevin posted in the comments on the 27th of January 2016 that the command is confirmed on Mavericks only to require the first line

 

However if its not removed as I said above I had removed two other files prior to removing the com.apple.network.eapolclient.configuration.plist file. Specifically these are the following files;

 /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
 /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist 

These files were located via use of the grep command to locate references for the keyword “802” inside files (that are themselves inside the SystemConfiguration directory). The command locate these is as follows;

 grep "802" /Library/Preferences/SystemConfiguration/* 

NOTE: Notice the lack of a sudo, we are only reading information here, not writing so no need to sudo

It is however worth noting that due to the use of the keyword “802” this searches for all references to 802 (well der) and as wireless itself, as well as other communications protocols all have 802 numbers which they can be referenced by (i.e. 802.11 is wireless) it will find references to these protocols as well, so removing all files where this occurs may, and most likely will remove configurations for other 802 series protocols/standards where these are referenced by their 802 identifiers inside the configuration profiles. On the laptop I did this testing on, removing these files removed ALL wireless connection details, and although this may not be a great concern in some cases, it may cause issues in others.

Anyway if the removal of the first file and its subsequent reboot did not work, removing all three files should fix the issue (we want to remove the original file again to ensure there have been no references generated in the new file)

 

 sudo rm /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
sudo rm /Library/Preferences/SystemConfiguration/NetworkInterfaces.plist
sudo rm /Library/Preferences/SystemConfiguration/com.apple.network.eapolclient.configuration.plist 

Reboot and the Profile should have now removed itself.

OSX-10.10-802.1X-NoProfile

Let me know if it works for you in the comments

Justin

%d bloggers like this: