Mac OS X 10.5: How to configure Network preferences for 802.1X

The 802.1X standard is designed to enhance the security of local area networks by preventing unauthorized devices from gaining access to the network. It supports a wide range of authentication methods, including TLS, EAP–FAST, TTLS, LEAP, MD5, and PEAP (MSCHAPv2, MD5, GTC).

This article has been archived and is no longer updated by Apple.

You may need to connect to a wireless (IEEE 802.11) or Ethernet (IEEE 802.3) network that is protected by the 802.1X standard if you are in an education or business environment.

In an 802.1X secured environment, a computer will not be able to gain access to network services, such as email or the Internet, until it has been authenticated.

You may need to know these things before configuring 802.1X settings in Mac OS X.

  • User name
  • Password
  • Name of the wireless network, which is case sensitive
  • Authentication method and options
  • If you are using TLS, you will also need a user certificate/private key pair, commonly distributed in a .p12 file (PKCS12). In this situation, your IT department should configure your computer for you.

If you are not sure, ask your network administrator which of the above you need to know in order to configure 802.1X.

Which 802.1X profile should I use?

There are three 802.1X profile choices in Network preferences:

  • User Profile
  • Login Window Profile
  • System Profile

Note: The 802.1X RADIUS server that your computer authenticates to doesn't know what type of 802.1X profile you are using. User, Login Window and System profiles are transparent to the RADIUS Server, and are Mac OS X specific. Regardless of the profile used, the same transactions will occur between the computer and the RADIUS server.

It is important to note that there is a precedence order for 802.1X profiles. If you have multiple profile types, System has precedence over Login Window, and Login Window has precedence over User. If you have configured a System profile in your location, do not add a User or Login Window profile to that same location.
 

About the "User" Profile choice

Use this choice if you aren't sure which one to add (consider it the default). This mode is called User because the 802.1X session runs as the user, and has the ability to interact with the user to prompt for missing information, such as certificate trust and name and/or password.
 

About the "Login Window" Profile choice

This mode is called Login Window because the 802.1X session originates from the login window using credentials entered at the login window. The same credentials are used to both authenticate to the network and authenticate the user to a directory service.

At the login screen, one enters a name and password. If LoginWindow can't find a local user account with that name, it initiates an 802.1X session using the same name and password and in the case of an 802.11 network, it associates to the wireless network. After the 802.1X authentication completes, LoginWindow authenticates the user against the directory service. If that authentication succeeds, the user is logged in. 

When the user logs out, LoginWindow checks whether the 802.1X session is one that it started, and if so, it stops the 802.1X session, and if an 802.11 network, disassociates from the network.

If no one is logged in, no 802.1X session is running, and no 802.11 network will be joined. The Mac is not available on the authenticated network.

This mode is typically of interest to enterprise environments that use managed computing technologies along with one or more directory services to remotely administer and manage both the computer and the user accounts. Note: Login Window profiles are only supported for network, external or mobile accounts. Local accounts ignore any Login Window profiles and therefore will not connect to an 802.1X-protected network.

You may have multiple Login Window profiles per Location.
 

About the "System" Profile choice

This mode is called System because Mac OS X authenticates to the network automatically as long as this mode is enabled. That means, the computer will authenticate to the network even when no one is logged in, regardless of which user account logs in afterwards.

This is useful if the computer needs to be connected to the network regardless of whether anyone is logged in or not.

In computer labs and other similar environments where a system administrator needs to update large groups of computers at the same time, this may be the best method.

You can only have one instance of a System Profile configured per your location. If you add a User or Login Window Profile to the same location, they will be ignored--the System Profile has precedence.
 

Note about Certificates

Certificates must meet specific requirements both on the server and on the client for successful authentication.

There are two types of Certificates 802.1X is concerned with: Server Certificates, and User Certificates.

Server Certificates

When you connect to an 802.1X network, you may be presented with a certificate trust dialogue asking you whether you want to continue with the authentication to the server. In the dialogue, you have the opportunity to permanently trust the certificate, or simply click "Continue" to authenticate a single time.

One purpose of the certificate trust dialogue is to inform you anytime a server presents a certificate that has not been explicitly trusted. Another purpose is to give you the opportunity to examine the certificate to ensure that the certificate is appropriate for the network you are authenticating to. It is important to carefully examine the certificates, and not just blindly accept them. It's possible for someone to set-up a rogue access point with their own certificate, and if you continue with the authentication, the rogue access point could gather your password from the authentication exchanges.

The certificate will contain SHA-1 and MD-5 fingerprints which uniquely identify the certificate. Verify each certificate in the list, and if you are confident in the validity, trust the certificates. If you are unsure of this, consult with your System Administrator before continuing.

User certificates

There are many types of certificates, including:

  • Safari (SSL/TLS client authentication)
  • Mail (signed/encrypted mail)
  • iChat (encrypted chat)
  • Back to My Mac (file and screen sharing)
  • Xcode (Code signing)
  • Kerberos (Local KDC signing)

and

  • 802.1X (server and client authentication).

When selecting a certificate for your 802.1X configuration, it is essential that it be the specific one for access to that RADIUS server.
 

How do I determine which certificate (certificate of authority) is for the 802.1X network at this location?

You must use the certificate that was specifically installed or given to you to install for that 802.1X network at that location. The certificate used with EAP/TLS must be known to the authentication infrastructure and is normally associated with a User within an authentication domain.
 

How do I get an 802.1X certificate of authority?

The network administrator will tell you what you need to do to obtain a certificate. There are many ways to get one, and it's impossible to document them all. Some methods use a web-based interface for obtaining a certificate associated with your user account. Other methods include sending email to a Certificate Authority's email address.

Regardless of using web or email, the process involves:

  • Generating a private key and Certificate Signing Request (CSR), for example, from within Mac OS X's Certificate Assistant
  • Providing the CSR to the CA
  • CA signing the CSR and issuing the certificate
  • Importing the certificate into the keychain to establish the connection between the private key and certificate

It is important to note the distinction between a certificate for which you have the private key, usually referred to as an "identity", and just a certificate. A certificate is the public part of public key infrastructure, and allows people to verify that you hold the private key. A private key is only held by the entity that corresponds to the subject of the certificate, and must be stored securely.

It's also possible that you already have the identity (certificate + private key) in the form of a PKCS12 (.p12, .pfx) file. This file can be imported into the keychain directly by double-clicking it.
 

About EAPOL authentication types

As listed below, there are six EAPOL authentication types which Mac OS X supports. Unless directed to do so by your System Administrator, you should not need to make changes to the Options available for these types.

TTLS

  • MSCHAPv2
  • MSCHAP
  • CHAP
  • PAP

PEAP

  • Outer Identity (optional)

TLS

  • Requires a Certificate

EAP–FAST

  • Outer Identity (Optional
  • Use Protected ACCESS Credential (PAC)
  • Provision PAC automatically
  • Allow Anonymous PAC provisioning

LEAP

  • None

MD5

  • Authentication type for wired ethernet connections
     

How to Connect to a network that is protected by 802.1X

Choose from the following 802.1X profiles and follow the instructions to enter the information in Network preferences for the network service you require. An administrator (any user account with administrator level privileges on the computer) can create a valid 802.1X profile.

While it is not necessary to create a Network location for a User profile, it is helpful in a Login Window and System 802.1X configuration. If you do create a location remember to ensure that it is selected when you are at that location. Below you can see that one has created a location for an example New York and London office. Each of these locations have their own 802.1X profiles configured for that specific place.


 

If you already have an existing configuration for your 802.1X network that is not working

  1. If you are using Login Window or System profile, connect to the network and use the Directory Utility to make sure you're bound to an applicable Server such as Open Directory (OD), or Active Directory (AD) needed for your network homes and authentication.
    This will normally be done by the IT System Administrator over a wired ethernet Network connection.
    For Open Directory you may not have to bind as Mac OS X supports Anonymous binding, and the OD information can be sent via DHCP. This means you can create the connection and log in with an OD account, providing the 802.1X authentication succeeds first and the DHCP server is configured to send the OD server data.
  2. Remove any previous 802.1X profile.
  3. Remove any existing 802.1X certificates from the profile keychain entries.
  4. For an 802.1X wireless network, in Network System Preferences remove the previous AirPort Network from the Preferred Networks list.
  5. Now choose and follow the steps for adding the appropriate 802.1X profile.
     

Adding a User profile--the recommended method for adding an 802.1X User profile

If you will be using TLS authentication, before doing anything else you will need to install a user certificate/private key pair. We recommend that this is done by your System Administrator.

  1. Choose Apple > System Preferences > Network.
  2. Select the appropriate network service to set up, such as Ethernet or AirPort from the network connection services list, and then click Advanced.
  3. Click the 802.1X tab.
  4. Click Add (+) at the bottom of the profiles list, and choose Add User profile. (If you wish, rename the default profile name to something else.)
  5. Unless using TLS, enter the User Name and Password supplied by your System Administrator for your account.
  6. Choose a network from the Wireless Network pop-up menu if you are setting up a 'wireless' 802.1X connection. If your wireless network name (SSID) is hidden, you will need to manually type it in exactly. It is case sensitive.
  7. Select and configure the appropriate EAP Authentication types for your network. The default is PEAP and TTLS.
  8. Click OK to save the profile.
  9. Click Apply to save the 802.1X configuration.
  10. You may be prompted to trust a certificate from the server if it was issued from a non-trusted CA, in which case you will see a new entry added in Login keychain.
  11. You'll be asked for your admin password so you can set the required level of trust on that certificate.
  12. If you want to be able rejoin the network after waking from sleep you also have to ensure the network is checked in the Preferred Network list (or the Remember networks option is checked).

Note: Don't add a Login Window or System profile as they will take precedence over User. User profiles are not Location sensitive. They are per user. You may add additional User profiles as needed.
 

Adding a Login Window profile--recommended method for adding an 802.1X Login Window profile 

If you will be using TLS authentication, before doing anything else you will need to install a user certificate/private key pair. We recommend that this is done by your System Administrator. 

  1. Connect to the network and use the Directory Utility to make sure you're bound to an applicable Server such as Open Directory(OD), or Active Directory (AD) needed for your network homes and authentication.
    This will normally be done over a wired ethernet Network connection.
    For Open Directory you may not have to bind as Mac OS X supports Anonymous binding, and the OD information can be sent via DHCP. This means you can create the connection and log in with an OD account, providing the 802.1X authentication succeeds first and the DHCP server is configured to send the OD server data.
  2. Choose Apple > System Preferences > Network.
  3. From the Location pop-up menu select Edit Locations.
  4. Click Add (+) at the bottom of the Locations, and create a new Location and name it to remind you of what this Location is for, then click Done.
  5. Select the appropriate network service to set up, such as Ethernet or AirPort from the network connection services list, and then click Advanced.
  6. Click the 802.1X tab.
  7. Click Add (+) at the bottom of the profiles list, and choose Add Login Window profile. (If you wish, rename the Untitled profile to something else.)
  8. Leave the User Name or Password blank. Although it will not affect the connection if you do, it is superfluous. You will be asked for the User Name and Password during the initial connection to the server when you click Apply, and it will not be used again after that.
  9. Choose a network from the Wireless Network pop-up menu. If you are setting up a 'wireless' 802.1X connection and your wireless network name (SSID) is hidden, you will need to manually type it in exactly. It is case sensitive.
  10. Select and configure the appropriate EAP Authentication types for your network. The default is PEAP and TTLS. Please note that EAP-FAST is not compatible with Login Window mode.
  11. Click OK to save the profile.
  12. Click Apply to save the 802.1X configuration.
  13. You may be prompted to trust a certificate from the server if it was issued from a non-trusted CA, in which case you will see a new entry added in Login keychain.
  14. You'll be asked for your admin password so you can set the required level of trust on that certificate.
  15. If you want to be able rejoin the network after waking from sleep you also have to ensure the network is checked in the Preferred Network list (or the Remember networks option is checked).

    Note: Don't add a User or System profile to this Location. However you may add additional Login Window profiles as needed.
     

Adding a System profile--recommended method for adding an 802.1X System profile

If you will be using TLS authentication, before doing anything else you will need to install a user or system certificate/private key pair as appropriate. We recommend that this is done by your System Administrator.

  1. Connect to the network and use the Directory Utility to make sure you're bound to an applicable Server such as Open Directory (OD), or Active Directory (AD) needed for your network homes and authentication.
    This will normally be done over a wired ethernet Network connection.
    For Open Directory you may not have to bind as Mac OS X supports Anonymous binding, and the OD information can be sent via DHCP. This means you can create the connection and log in with an OD account, providing the 802.1X authentication succeeds first and the DHCP server is configured to send the OD server data.
  2. Choose Apple > System Preferences > Network.
  3. From the Location pop-up menu select Edit Locations.
  4. Click Add (+) at the bottom of the Locations, and create a new Location and name it to remind you of what this Location is for, then click Done.
  5. Select the appropriate network service to set up, such as Ethernet or AirPort from the network connection services list, and then click Advanced.
  6. Click the 802.1X tab.
  7. Click Add (+) at the bottom of the profiles list, and choose Add System Profile. (If you wish, rename the Untitled profile to something else.)
  8. Enter the User Name and Password
  9. Choose a network from the Wireless Network pop-up menu. If you are setting up a 'wireless' 802.1X connection and your wireless network name (SSID) is hidden, you will need to manually type it in exactly. It is case sensitive.
  10. Select and configure the appropriate EAP Authentication types for your network. The default is PEAP and TTLS.
  11. Click OK to save the profile.
  12. Click Apply to save the 802.1X configuration.
  13. You may be prompted to trust a certificate from the server if it was issued from a non-trusted CA, in which case you will see a new entry added in Login keychain.
  14. You'll be asked for your admin password so you can set the required level of trust on that certificate.
  15. If you want to be able rejoin the network after waking from sleep you also have to ensure the network is checked in the Preferred Network list (or the Remember networks option is checked).
     

Note: Don't add a User or Login Window profile to this Location. They will be superseded by the System profile if you do.

 For information about configuring 802.1X in Mac OS 10.4 see this article.

Important: Information about products not manufactured by Apple is provided for information purposes only and does not constitute Apple’s recommendation or endorsement. Please contact the vendor for additional information.
Last Modified:
Helpful?

Additional Product Support Information

Start a Discussion

in Apple Support Communities
See all questions on this article See all questions I have asked
United States (English)