802.1X networks may use a server-side certificate to establish a secure TLS communication channel between the client and the authentication server. The client ensures that the server’s certificate is trusted before continuing with the authentication process. If you don’t configure your certificate trust settings correctly in a configuration profile, users see a certificate trust dialog when they join your 802.1X protected network.
This dialog prompts them to verify that the RADIUS server certificate chain information is authentic. If a user unknowingly tries to join a “rogue network” pretending to be your network, they could click through its invalid certificate trust dialog. This can happen if they don’t know how to verify that the information is authentic. If the user provides their valid credentials to the rogue network, your network’s security could be compromised. If you don't configure certificate trust for a System mode 802.1X configuration profile, authentication fails because the user can't be prompted to manually trust the server certificate chain.
Configure Trusted Certificates in a configuration profile
- Identify the certificate chain that your RADIUS server presents when clients try to authenticate. This might be the certificate for your RADIUS server. This could also be an intermediate or root certificate that issued the RADIUS server certificate.
- Add the certificates that you’ve identified to the Certificates payload of the configuration profile.
- In the Network payload of the configuration profile, in the Trust section, find the certificate that you want to anchor trust to. Then mark it as a Trusted Certificate.
For example, if you have a single RADIUS server in your environment, anchor trust to that RADIUS server certificate or to the certificate that issued it. If you have multiple RADIUS servers whose certificates are all issued by the same root or intermediate certificate, anchor trust to that root or intermediate certificate so that all your RADIUS servers are trusted.
These certificate trust settings also allow macOS 802.1X System Mode and Login Window Mode to work.
Configure Trusted Server Names in a configuration profile
You can also configure Trusted Server Names to prevent users from being prompted to trust RADIUS server certificates. Use a case-sensitive value that matches the Common Name of your RADIUS server certificates. The value can also include a wildcard character to identify multiple RADIUS servers within the same domain. For more information, see the EAPClientConfiguration Dictionary in the Apple Developer Configuration Profile Reference.