Articles September 1, 2009 at 1:02 am

New networksetup Features in Snow Leopard

The networksetup command is pretty useful for deploying static network information, which is otherwise tedious (to say the least).  In Mac OS X 10.6 there are three major additions to networksetup that have not gotten a lot of attention yet.  The first is that you can now use networksetup to import and export 802.1x profiles (and link them to certificates that you import from pkcs12 into Keychain), which will hopefully ease implementation burdens for environments with supported 802.1x setups.  The second is that networksetup can now be used to manage a Baseboard Management Controller (BMC), which is the chip that enables ipmi/Lights Out Management.  The third new option is the addition of network locations control from within networksetup.  This means that networksetup can now be used to configure basically the entire network stack. 

Read on for more…

First let's look at the options that have been added to ease
the burden of integrating 802.1x.  In the Network System Preference
pane, if you've enabled 802.1x on a Mac host, you may have noticed that
you have User Profiles, Login Window Profiles and a System Profile.
 The options in networksetup correspond to these, with
-listalluserprofiles and -listloginprofiles showing available user and
login profiles respectively (you can only have one System Profile so
there's no need for listing all one of them).  Additionally, any
profiles that you generate will need to be enabled.  You will use the
-enablesystemprofile to enable the system profile for a given service.
 And if you are integrating 802.1x with the loginwindow you'll need to
enable one of the profiles that you listed earlier, using the
-enableloginprofile option to networksetup along with the service
followed by the profile followed by an on or off switch.  For example,
if we wanted to enable a profile called mycompany for the login window
and we wanted to use the service that we'd setup called PrimaryEthernet
then we could use the following command:

networksetup -enableloginprofile PrimaryEthernet mycompany on

where are these profiles coming from?  Well, the easiest way to get
them on your system is to use the -export8021xProfiles to export all
profiles for a given service on an imaging station and then the
-import8021xProfiles followed by the service to import the profiles
into, followed by the path to the export file.  You can also export
just the user profiles using the -export8021xLoginProfiles or the
-export 8021xSystemProfiles options to export just the login profiles
and system profiles respectively.  TLS will be a bit trickier.  Apple
includes the -settlsidentityonsystemprofile and
-settlsidentityonuserprofile to assist with pkcs12 integration
(currently the only supported format).  While Snow Leopard also
introduces an option in the GUI to connect to an 802.1x environment
immediately, I've yet to find command line support to test the

In addition to 802.1x options, Snow Leopard also
comes with the ability to manage that Lights Out Management (LOM) port
on those shiny Xserve's all the cool kids are talking about (without
compiling ipmitool on your own).  To see the LOM settings, you would
use networksetup along with the -showBMCSettings option.  To setup LOM,
use the -setupBMC option, along with the port to use it on followed by
whether it will be static or DHCP (yes, I said DHCP but I don't think
I'd do that), the IP, subnet mask, gateway and finally the admin user
name and password (keep in mind those passwords need 8 characters).  So
let's say that I wanted to configure my LOM interface to use Ethernet
1, using with a subnet mask of and a
gateway of, with a LOM username of admin and a password
of mysecretpassword1.  I would then use the following command:

networksetup -setupBMC 1 static admin mysecretpassword1

locations have always been pretty straight forward in the Network
System Preference pane and they still are in networksetup.  Simply use
the -getcurrentlocation option to show you which location is active (if
you haven't ever customized network locations this should be
automatic).  You can see all of the locations (not just the active one)
by using the -listlocations option.  When you know which locations you
have, if you need more, go ahead and do a -createlocation followed by
the name to be assigned to the location.  By default the default
services will not be included in this location, so use the populate
option to add them.  If we were creating a new location called
8021xenabled then our command would look something like the following:

networksetup -createlocation 8021xenabled populate

then make that location our active location use the -switchtolocation
option.  For example, we could use the following to activate that
location we just created:

networksetup -switchtolocation 8021xenabled 

And to delete it if we did something wrong use the -deletelocation (to continue on with our previous example):

networksetup -deletelocation 8021xenabled 

this doesn't seem very earth shattering the ability to programmatically
create (and delete) locations allows administrators to build new test
packages for home vs work settings and also be able to send users
packages with locations built into them to help test for problems,
potentially a huge time saver!

No Comments

Leave a reply

You must be logged in to post a comment.