802.1X authentication from authorization plug-in

I'm trying to find a working scenario how to implement 802.1X authentication for Wi-Fi enterprise with a custom authorization plug-in. The problem is I don't fully understand what mechanism, in the scope of the system.login.console authorization right, is responsible for 802.1X authentication. The system.login.console authorization right has the following mechanism:

  1. builtin:policy-banner (displays Login Window banner, if set).
  2. loginwindow:login (prompts for credentials).
  3. builtin:login-begin
  4. builtin:reset-password,privileged (performs password reset using Apple ID).
  5. builtin:forward-login,privileged (forwards credentials from EFI on boot).
  6. builtin:auto-login,privileged (applies auto-login credentials on boot).
  7. builtin:authenticate,privileged (invokes`` pam_authenticate(3) for authorization service; sets "uid" context value).
  8. PKINITMechanism:auth,privileged (initialises Kerberos by obtaining a TGT).
  9. builtin:login-success
  10. loginwindow:success (secures the login session from unauthorized remote access; records the login in the system’s utmp and utmpx databases; sets the owner and permissions for the console terminal).
  11. HomeDirMechanism:login,privileged (mounts the user's home directory).
  12. HomeDirMechanism:status (displays progress of home directory mounting).
  13. MCXMechanism:login (applies configuration profiles).
  14. loginwindow:done 

Since the second stage of that authentication is handled by the pam_opendirectory.so module and is dependent on the network being present, the first stage (authenticating via 802.1X to the network) must necessarily occur prior to that. That is, it must occur before the builtin:authenticate mechanism.

Am I correct in thinking that the loginwindow:login mechanism not only displays the login prompt, but then also attempts 802.1X authentication?

If so, it makes impossible to implement the same functionality in a custom plug-in. I tried to use the CoreWLAN framework, but that didn't work. I even filed a bug, but got a reply from Apple saying that CoreWLAN only works from application context. As the result, I cannot switch a WI-Fi network using CoreWLAN, while staying in Login Window, even from a daemon. As soon as I leave the Login Window screen, CoreWLAN methods (Wi-Fi enterprise related) start working.

Or does 802.1X authentication occur in a different mechanism (lower in the call chain)? And it's possible somehow to pass credentials and selected wifi network parameters as a hint or a context value from the custom plugin mechanism to the system built-in mechanism that is responded to 802.1X authentication?

Up vote post of Lex_A Down vote post of Lex_A
469 views
Posted by
Lex_A
Reply
Add a Comment

Replies

Hi, In the latest versions of macOS, a new mechanism has been discovered: <string>builtin:policy-banner</string>. Could someone assist me in understanding the purpose of this particular mechanism? I suspect that it may be related to initiating 802.1X authentication at the very beginning. Can anyone confirm or correct my understanding?

Posted by
agrawal_neha68
Up vote reply of agrawal_neha68 Down vote reply of agrawal_neha68
Add a Comment

Hi, In the latest versions of macOS, a new mechanism has been discovered: <string>builtin:prelogin</string> . Could someone assist me in understanding the purpose of this particular mechanism? I suspect that it may be related to initiating 802.1X authentication at the very beginning. Can anyone confirm or correct my understanding?

Posted by
agrawal_neha68
Up vote reply of agrawal_neha68 Down vote reply of agrawal_neha68
Add a Comment