Authenticate to Wi-Fi Enterprise network from Authorization plugin

Question

Created Nov ’21

Replies 2

Boosts 0

Views 1k

Participants 2

With the native Login Window client (UI) it was possible to authenticate to a Wi-Fi Enterprise network from the login window screen. If a profile with Login Window Mode ( 802.1X authentication) is applied via MDM or manually, there is shown a special pop-up menu right above the user name field.

But how can I implement similar functionality in a custom authorization plugin? I tried to add my own Wi-Fi selector calling the associateToEnterpriseNetwork method of the CoreWLAN framework, but from the login window context it always returns the error: code -3903 .

I called associateToEnterpriseNetwork without specifing the indentity like this:

[interface associateToEnterpriseNetwork:network identity:nil username:myUsername password:myPassword error:&error];

Are there any other ways to add Wi-Fi enterprise support to authorization plugins? Maybe there're some standard ways to implement.

Thanks in advance!

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’21

but from the login window context it always returns the error: code -3903.

That’d be kCWNotSupportedErr, which isn’t super descriptive. I’ve no idea why you’re getting this but it’s not a huge surprise: Authorisation plug-ins run in a very weird context.

I suspect that there will be no good way to do this. However, I can’t say that for sure without doing more research, and I don’t have time to do that in the context of DevForums. My advice is that you open a DTS tech support incident so that I can allocate the time to investigate.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

Lex_A OP

Nov ’21

I’ve no idea why you’re getting this but it’s not a huge surprise: Authorisation plug-ins run in a very weird context.

It doesn't work even from the application context. I ran 9 times a simple test containing only the following two line (I used PEAP as a authentication method): [interface disassociate]; BOOL res = [interface associateToEnterpriseNetwork:network identity:nil username:myUsername password:myPassword error:&error];

2 times out of 9 I managed to connect to Wi-FI enterprise network without any prompts.

1 time out of 9 the method showed success, but I wasn't connected to Wi-Fi Enterprise network (It's strange, because in RADIUS server logs I see that "full access was granted")

6 times out of 9 the system kept asking for Wi-Fi credentials, which is weird because the correct credentials were specified as the parameters. Moreover, the associateToEnterpriseNetwork call was not blocking and terminated in a couple of seconds with the error code 1. But the credential prompt kept hanging, so I could enter the credentials and get connected to my enterprise network. This behaviour looks unpredictable, it's quite glitchy .

As for the login window context, I tried to wrap the associateToEnterpriseNetwork method into a launched daemon and pull it from my authorisation plug-in. While I'm pulling the daemon being on the login window screen, I get the error -3903, the one i mentioned before. As soon as I leave the login window, my daemon stops showing the error -3903 and either works as expected or shows the error 1.

It looks like it's a bug.

0