System configuration for 802.1X wireless authentication

The following table summarizes the environment that is needed for 802.1X wireless authentication:

Environment Components / Configuration

Windows side

Windows Server 2003 R2 Enterprise Edition Domain Controller (supports PEAP) with Internet Authentication Service (IAS) installed; on Windows server 2003, RADIUS server is part of IAS.


Windows Server 2008 R2 Enterprise Edition Domain Controller (supports PEAP/TLS) with Network Policy Server (NPS) installed; on Windows Server 2008, Radius server is part of NPS.

Active Directory on the Windows Server

Group Policy Management Console (GPMC), which is required to configure 802.1x group policies and deploy certificates.

Certificate Services, which is required to obtain the required certificates.

Access Manager console 5.1.x or later, which is required to set group policies that apply to Mac computer.

Mac side

DirectControl agent 5.0.1-171 or later to enforce group policies on the Mac computer.

Wireless access point device

Supports 802.1x wireless authentication through one of these protocols:

  • WPA Enterprise
  • WPA2 Enterprise
  • 802.1X WEP (the name can be different, for example, RADIUS)

Note:   Although it is possible to configure other RADIUS servers for 802.1X wireless authentication, or use other protocols, this document focuses on the Microsoft RADIUS server and the PEAP and TLS protocols.

The assumption of this document is that you have a RADIUS server properly configured for 802.1X wireless authentication and can now proceed to configure your Mac environment. The following is a list of how the RADUIS server must be configured to support 802.1X wireless authentication on Mac OS X. Click a link if you have questions about whether your RADIUS server is configured properly with regard to any particular item:

Of course, there are other configuration steps that are required to set up a RADIUS server, such as configuring the RADIUS client and configuring a remote access policy, however, the important consideration for Mac 802.1X authentication is that the specified certificate and private key have been created and deployed to the domain. When a Mac computer joins a Windows domain, Access Manager automatically finds certificates on the Domain Controller and adds them as trusted certificates to Keychain Access on the Mac computer.

Once you are certain that the RADIUS server is properly configured, you can configure your Mac environment; see the following section for instructions on configuring OS X 10.7 or later.