Configuring 802.1X in Mac OS X Lion and Later

Configuring 802.1X in Mac OS X Lion and Later

Photo of author
Written By Eric Sandler

Configuring a wireless network settings in Mac OS X Lion is a bit different than in older versions of the Mac OS. Our wireless networking guru walks users through the changes.

If you upgraded to Mac OS X 10.7 Lion (or later) from 10.6 Snow Leopard (or earlier) and connect to Wi-Fi networks at work or school that use WPA/WPA2-Enterprise security, you may notice a difference when configuring your network settings.

Apple actually removed the capability to manually define the 802.1X authentication settings (required for the Enterprise security) from the user interface. It’s not what you might be used to dealing with in Mac OS X 10.6 and earlier. You’ll still see an 802.1X tab in the Wi-Fi settings, but it only lets you view 802.1X profiles that have been imported, and select between them if there are multiple profiles.

However, you can certainly still connect to Wi-Fi networks using Enterprise security with 802.1X authentication. Manual configuration might not even be needed, based upon the EAP protocol and configuration of the network’s authentication server, and if you want to use the basic user login method.


Connecting without Manual Configuration

First, simply try connecting to the network by selecting it from the list on the AirPort menu in the upper-right corner of the desktop, like you would to connect to any Wi-Fi network. You should then be prompted to enter the network credentials, your username and your password (provided by the network administrator). For the first connection, you’ll be prompted to verify the server certificate and asked to enter your Mac OS X account password to save the trust setting.


Ask an Administrator for a Configuration File

If the network’s authentication server’s configuration settings don’t support simple connections or you want to use the Login Window or System methods provided by Mac OS X, you’ll have to manually configure the settings.

First, ask the network administrator if he or she has a .mobileconfig file with the 802.1X settings that they can give you. If so, you can simply open that file in Mac OS X to install the 802.1X profile.


Create a Configuration File

If the network administrator doesn’t have a .mobileconfig file, you can create one using the iPhone Configuration Utility (iPCU) provided free of charge from Apple, which also creates and manages configurations for iOS devices — iPhones, iPod Touches, and iPads.

It installs and runs on Mac OS X or Windows. Keep in mind; it’s best to install and use the iPCU on a computer that’s already successfully connected to the network, since it should have the authentication server’s CA digital certificate installed. If you are the administrator, you can use the iPCU as well, or if you have a Lion server you can use its Profile Manager service.

You can use the iPCU to create profiles for specific users, groups, or use one profile for all. To get started, open iPCU, select Configuration Profiles, and click the New button.

Start by entering the General settings. Next, select the Credentials settings and then click the Configure button to add the authentication server’s CA certificate (and a client certificate if using a protocol like EAP-TLS). If you don’t see the desired certificates, make sure they’re installed onto the computer.

Tip: If you’re not a network admin, and you don’t understand which certificate(s) to add, refer to any connection or configuration instructions provided by the administrators. Even if written for Windows or Mac OS X 10.6 or earlier, they may give you hints to the required certificate(s) and other settings.

Now, select the Wi-Fi settings and click the Configure button. Then set the basic Wi-Fi and security settings. Once you select WPA/WPA2 Enterprise for the Security Type, you’ll see the Enterprise settings.

On the Protocols tab of the Enterprise Settings, select the desired EAP Type (PEAP is the most popular). On the Authentication tab of the Enterprise settings, you can optionally enter the Username and Password if creating the profile for a specific user; otherwise leave blank so the user is prompted for them.

On the Trust tab, ensure you select your authentication server’s CA certificate. For increased security, you should also add a Trusted Server Certificate Name and uncheck the Allow Trust Exceptions option. If a client/user certificate is also required, such as with EAP-TLS, upload an Identify Certificate on the Authentication tab.

Once you’re done, you can email the configuration file by clicking Share, or you can manually distribute the file by clicking Export. When a user opens or downloads the .mobileconfig file, she’ll be prompted to start the installation process.

Leave a Comment