802.1X Network Authentication for Mac

Cannot believe I spent so much time just to figure out how to do 802.1x network authentication for Mac 🙂

So for managing macs, we have two ways of setup 802.1x, one is using Apple Profile Manager to create a configuration profile, and the other way is to use Casper configuration profile.  From the internet, it seems Casper profile has some issues with ethernet profile, so I decided to use the Apple Profile Manger from the Server app.

However no matter what settings I make, it always turned out like this when I install the profile on a test mac:

So I have to choose the Casper configuration route. However if you are using Apple Profile Manager, here is a few points maybe helpful to you:

  1.  On the Certificate Server, you have to type something like this: https://FQDN/certsrv
  2.  The username you use to authenticate with RADIUS server, it can be %ComputerName%$,

Here are a few articles are talking about this method:

https://support.apple.com/en-us/HT204602

https://kevinbecker.squarespace.com/blog/2015/03/26/mac-os-x-wpa2-enterprise-authentication-using-a-microsoft-ca-part-2-2

 

Ok, now let’s talk about doing 802.1x authentication using Casper’s configuration profile.  Here are the settings from my environment:

  1. Upload your root CA certificate on the Certificate Tab;
  2. Setup your AD certificate to acquire your client certificate for your mac;
    2.1 Certificate Authority just the common name of your server is fine:
    2.2 Be careful about “The name of the CA”, you can find your real CA name from this URL:
    https://support.microsoft.com/en-us/help/555529?wa=wsignin1.0%3Fwa%3Dwsignin1.0
  3. On Network tab, create two network, one for wifi, and the other for ethernet.
    it needs to be “Computer Level” under ” General” tab
    Choose the security type your environment is in, for me, it is TLS
    On the Trust tab, choose the root CA, and specify any RADIUS you need to trust, if you list *.FQDN, it will NOT work. You have to manually specify all the FQDN of your RADIUS servers.

    On the username part, it is very important, If you use $COMPUTERNAME like Casper said, it will come out as name.domain.net, however for our RAIDUS server to be recognize, it needs to be something like name$, so we have to use %AD_ComputerID%.

    And then you do the same for ethernet. Some people prefer to create two separate configuration profiles, one for wifi, and the other for ethernet. I did that before, and then found out I will have two same client machine certificate, so I decided to put into one to avoid confusions.

3. If you think you are done, that is far too easy 🙂

If you install the configuration profile, you will see the ethernet will work well, however the wifi won’t work ( in my case, the wifi won’t associate my client machine certificate, so I have to manually link them together).

Here is my script to do a manual configuration profile install and then link them together:

#!/bin/sh

a=$(hostname -s)
b=”.your.domain.name”

/usr/bin/profiles -I -F /private/tmp/network.mobileconfig
security set-identity-preference -c $a$b -s com.apple.network.eap.user.identity.wlan.ssid.”your wifi name”

 

Ok, now you should be all set with 802.1 network authentication for your macs 🙂

Leave a Reply