Connecting Apple devices to 802.1X networks
You can securely connect Apple devices to your organization’s 802.1X network.
During the 802.1X negotiation, the RADIUS server presents its certificate to the device supplicant automatically. Be sure that the certificate trust is valid so that the connection is properly validated and the user isn’t presented with a certificate trust error dialog. If the RADIUS server’s certificate isn’t issued from a certification authority (CA) that’s trusted by the operating system by default, trust may be established in a configuration profile. You may need to include intermediate certificates as well as the root CA certificate.
It’s not necessary to establish a chain of certificate trust in the same profile that contains the 802.1X configuration. For example, an administrator can choose to deploy an institution’s certificate of trust in a standalone profile and can put the 802.1X configuration in a separate profile. This way, modifications to either profile can be managed independently of one another.
To create an 802.1X configuration using configuration profiles, use an MDM solution or Apple Configurator 2. In addition to creating the parameters for a typical Wi-Fi network, there are some additional configurations:
Security type: WPA2 Enterprise or WPA3 Enterprise
For user name-based and password-based EAP types (such as PEAP): The user name or password can be supplied in the profile. If they aren’t supplied, the user is prompted for them.
For certificate identity-based EAP types (such as EAP-TLS): Select the payload that contains the certificate identity for authentication. This can be a PKCS #12 identity certificate (.p12 or .pfx) file in the Certificates payload, a SCEP payload, or an Active Directory Certificate payload (macOS only). By default, iOS and macOS supplicants use the certificate identity common name for the EAP Response Identity it sends to the RADIUS server during 802.1X negotiation.
Shared iPad EAP credentials: Shared iPad uses the same EAP credential for each user.
Trusted certificates: If the RADIUS server’s leaf certificate is supplied in a certificates payload in same profile that contains the 802.1X configuration, the administrator can select it here. This configures the client supplicant to connect only to an 802.1X network with a RADIUS server presenting one of the certificates in this list.
Trusted server certificate names: Use this array to configure the supplicant to connect only to RADIUS servers presenting certificates that match these names. This field supports wildcards; for example, *.example.com expects the certificate common names radius1.example.com and radius2.example.com.
Deploying an 802.1X configuration for macOS
In macOS, the device supplicant operates in one of three modes. These are:
User Mode: The most basic and is used when the user joins the network and then authenticates when prompted.
System Mode: Used for computer authentication and occurs even when a user isn’t logged in to the Mac.
Login Window Mode: Used when the Mac is bound to an external directory, such as Active Directory.
When Login Window Mode is configured and a user types in a user name and password at the login window, two things happen. First, the login window authenticates the computer with 802.1X to the network using the user name and password the user entered. Next, after 802.1X authentication is successful, login window authenticates the same user name and password to the external directory.
System Mode and Login Window Mode require configuration by an MDM solution. Configure the Network payload settings with the desired Wi-Fi network settings and apply in-scope to a device or device group for System Mode.