Starting in OS X 10.7 a user will automatically be prompted for their network username and password when connecting to an 802.1X Ethernet port. If a self-signed certificate is used on RADIUS server, the user will be prompted to accept the certificate. To prevent users from accepting a malicious certificate, administrators may wish to push the Domain CA Certificate to end-users. This can be accomplished using Apple's iPhone Configuration Utility. You can download this utility from Apple's support website or by clicking here. The below steps walk you through creating and exporting a profile using Apple's iPhone Configuration utility to distribute your Domain CA certificate for use in a wired 802.1X Ethernet environment.
Exporting the Root Certificate from Windows 2008 Server
- On your Domain Certificate Authority Server, navigate to start > run. Type mmc in the text box and press OK.
- In the mmc window, go to File > Add/remove snap-in.
- Select the certificates option from the available snap-ins and press Add.
- In the dialog that appears, select computer account and click next.
- Select local computer and press Finish then press OK.
- In the left pane, navigate to Certificates > Trusted Root Certificates > Certificates.
- Right-click on the Root CA for your Active Directory Domain and select All Tasks > Export.
- In the Export Wizard select the format DER encoded binary X.509 (.CER) and press next.
- Give the certificate a name and save it to the desktop. You will need to upload this certificate to the iPhone Configuration Utility in the next section.
Creating a Profile with iPhone Configuration Utility
- Launch the iPhone Configuration Utility and select Configuration Profiles from the left pane.
- Press the New button to create a new profile.
- In the main windows navigate to General and enter a descriptive name and unique identifier for the profile (eg 802.1X Profile).
- Navigate to Credentials and select configure
- Upload the Root CA certificate you exported above
- Navigate to the option Wi-Fi and press the configure button (Note: Even though it is labeled Wi-Fi, the Mac client can use the 802.1X configurations set here for wired connections)
- Enter a descriptive name and deselect auto join check box.
- Select security type WPA/WPA2 Enterprise
- On the bottom of the Wi-Fi page you will see 3 tabs: Protocols, Authentication, and Trust. Under the Protocols tab, select the option for PEAP.
- Click on the Trust tab and select the CA Certificate we uploaded earlier
- To save the profile to a file, press the Export button on the top left of the dialog. You can now distribute the .mobilconfig file to your Mac clients.
Installing the Profile on Mac Clients
- On the Mac client click the .mobileconfig file created above.
- Press Continue twice to confirm installation of the profile
- The user will then be prompted to enter their network username and password.
- Once the profile is correctly installed, when connected to an Ethernet port configured for 802.1X, a dialog will appear requesting the 802.1X configuration to use. Select the newly added configuration and press Connect.
You have successfully exported your CA root certificate and distributed and installed the .mobileconfig profile to your Mac users. Mac users will now be able to connect to your 802.1X enabled switch ports.