Connecting Apple devices to 802.1X networks
During the 802.1X negotiation, the RADIUS server presents its certificate to the device supplicant automatically. Be sure that the certificate trust is valid so that the connection is properly validated and the user isn’t presented with a certificate trust error dialog. If the RADIUS server’s certificate isn’t issued from a certification authority (CA) that’s trusted by the operating system by default, trust must be established in a configuration profile. You may need to include intermediate certificates as well as the root CA certificate.
It’s not necessary to establish a chain of certificate trust in the same profile that contains the 802.1X configuration. For example, an administrator can choose to deploy an institution’s certificate of trust in a standalone profile and can put the 802.1X configuration in a separate profile. This way, modifications to either profile can be managed independently of one another.
To create an 802.1X configuration using configuration profiles, use an MDM solution or Apple Configurator 2. In addition to creating the parameters for a typical Wi-Fi network, there are some additional configurations:
Security Type: WPA2 Enterprise or WPA3 Enterprise
EAP Types:
For user name-based or password-based EAP types (such as PEAP): The user name or password can be supplied in the profile. If they aren’t supplied, the user is prompted for them.
For certificate identity-based EAP types (such as EAP-TLS): Select the payload that contains the certificate identity for authentication. This can be a PKCS #12 identity certificate (.p12 or .pfx) file in the Certificates payload, a SCEP payload, or an Active Directory Certificate payload (macOS only). By default, iOS and macOS supplicants use the certificate identity common name for the EAP Response Identity it sends to the RADIUS server during 802.1X negotiation.
Trust:
Trusted Certificates: If the RADIUS server’s leaf certificate is supplied in a certificates payload in same profile that contains the 802.1X configuration, the administrator can select it here. This configures the client supplicant to connect only to an 802.1X network with a RADIUS server presenting one of the certificates in this list.
Trusted Server Certificate Names: Use this array to configure the supplicant to connect only to RADIUS servers presenting certificates that match these names. This field supports wildcards; for example, *.example.com expects the certificate common names radius1.example.com and radius2.example.com.