Configuring Mac OS X 10.7 or later for 802.1X wireless authentication

Mac OS X 10.7 changed the way to create and manage profiles such that configuring 802.1X wireless authentication varies significantly between 10.7 and earlier versions of OS X. This section explains how to configure a Mac OS X 10.7 or later computer for 802.1X wireless authentication.

Before configuring your Mac environment, be certain that the RADIUS server is configured as described in System configuration for 802.1X wireless authentication. This configuration includes a domain root CA certificate or RAS/IAS server certificate, as well as a private key that are required to be trusted on the Mac computer.

However, there are no manual steps that you must perform to trust these certificates on your Mac computers. As mentioned previously, when a computer is joined to a domain, Access Manager automatically looks for certificates on the domain controller, and adds these certificates and the private key to the system Keychain on the Mac computer.

Through group policy settings you can use these certificates to create two different types of system profiles

The certificate template — as well as a certificate chain file and private key — are pushed to /var/centrify/net/certs on the Mac computer when it joins the domain. Before you configure the group policy for the Mac computer, if you want to verify that auto-enrollment is operating correctly, you can open a Terminal window on the Mac computer and run a command similar to the following to check that the certificate has been downloaded to the computer:

admin$ls /var/centrify/net/certs |grep -i auto_
...
auto_TemplateName.cert
auto_TemplateName.chain
auto_TemplateName.key

You should see three auto_ files as shown in the example.

To configure Mac OS X 10.7 or later to create an 802.1X Ethernet profile

  1. On a Windows computer, open the Group Policy Management Editor and edit a group policy object that applies to Mac computers.
  2. Expand Computer Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > 802.1X Settings, and double-click Enable Ethernet Profile.
  3. Select Enable, then click Add.
  4. Type the name of the auto-enrollment machine certificate that has been pushed down from the Windows domain server.

    When pushed to a Mac computer, certificate names are prepended with auto_; for example:

    auth_Centrify-1X

    This group policy runs a script that looks for the specified certificate template in the /var/centrify/net/certs directory (which contains the certificate templates pushed down to Mac when they join the domain) and creates a WiFi profile from this certificate.

  5. Click OK to save the profile information and OK again to save the policy setting.

    Note:   This group policy will take effect at the next group policy update interval, or you can run adgpupdate in a Terminal window on the Mac computer to have the policy take effect immediately.

When the group policy takes effect, it runs a script to create an ethernet profile for the computer from the certificate template and private key downloaded from the domain controller. This policy supports the TLS protocol for certificate-based authentication. The Mac computer is now configured for access to the radius access point.

On the Mac computer you can view the profile in System Preferences.

To configure Mac OS X 10.7 or later to create an 802.1X WiFi profile

  1. On a Windows computer, open the Group Policy Management Editor and edit a group policy object that applies to Mac computers.
  2. Expand Computer Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > 802.1X Settings, and double-click Enable Wi-Fi Profile.
  3. Select Enable, then click Add.
  4. Enter the following information for the Wi-Fi profile:
    Select thisTo do this

    SSID

    Type the SSID for the wireless network.

    Template name

    Type the name of the auto-enrollment machine certificate that has been pushed down from the Windows domain server. When pushed to a Mac computer, certificate names are prepended with auto_; for example:

    auth_Centrify-1X

    This group policy runs a script that looks for the specified certificate template in the /var/centrify/net/certs directory (which contains the certificate templates pushed down from the domain controller) and creates an ethernet profile from this certificate.

    Security type

    Select the Security type from the drop-down list.

    Other options

    Select one or more of the following options:

    • Auto join: Select this option to specify that the computer automatically join a Wi-Fi network that it recognizes. Do not select this option to specify that the logged in user must manually join a Wi-Fi network.
    • Hidden network: Select this option if the Wi-Fi network does not broadcast its SSID.
  5. Click OK to save the profile information and OK again to save the policy setting.

Note:   This group policy will take effect at the next group policy update interval, or you can run adgpupdate in a Terminal window on the Mac computer to have the policy take effect immediately.

When the group policy takes effect, it runs a script to create a WiFi profile for the computer from the certificate template and private key downloaded from the domain controller. This policy supports WEP or WPA/WPA2 security with the TLS protocol for certificate-based authentication. The Mac computer is now configured for access to the radius access point.

On the Mac computer you can view the profile in System Preferences.