Home > Switches > Access Control > Creating and Exporting a Wired 802.1X profile using iPhone Configuration Utility

Creating and Exporting a Wired 802.1X profile using iPhone Configuration Utility

Table of contents
No headers

Starting in OS X 10.7 a user will automatically be prompted for their network username and password when connecting to an 802.1X Ethernet port.  If a self-signed certificate is used on RADIUS server, the user will be prompted to accept the certificate.  To prevent users from accepting a malicious certificate, administrators may wish to push the Domain CA Certificate to end-users.  This can be accomplished using Apple's iPhone Configuration Utility.  You can download this utility from Apple's support website or by clicking here. The below steps walk you through creating and exporting a profile using Apple's iPhone Configuration utility to distribute your Domain CA certificate for use in a wired 802.1X Ethernet environment.   

1. Exporting the Root Certificate from Windows 2008 Server

2. Creating a profile with iPhone Configuration Utility

3. Installing the profile on Mac Clients

 1. Exporting the Root Certificate from Windows 2008 Server

a) On your Domain Certificate Authority Server, navigate to start > run.  Type mmc in the text box and press OK.
b) In the mmc window, go to File > Add/remove snap-in.
c) Select the certificates option from the available snap-ins and press Add.
d) In the dialog that appears, select computer account and press next.

 

 

e) Select local computer and press Finish then press OK.

 

 

f) In the left pane, navigate to Certificates > Trusted Root Certificates > Certificates. See figure 1.

 

 

g) Right click on the Root CA for your Active Directory Domain and select All Tasks > Export.

 

h) In the Export Wizard select the format DER encoded binary X.509 (.CER) and press next.

i) Give the certificate a name and save it to the desktop.  You will need to upload this certificate to the iPhone Configuration Utility in the next section.


 

 





















Figure 1 - Exporting Root CA Certificate


2. Creating a Profile with iPhone Configuration Utility

 

 

a) Launch the iPhone Configuration Utility and select Configuration Profiles from the left pane.

 

b) Press the New button to create a new profile.

 

c) In the main windows navigate to General and enter a descriptive name and unique identifier for the profile (eg 802.1X Profile).

 

d) Navigate to Credentials and select configure.  Upload the Root CA certificate you exported in step 1g above.

 

e) Navigate to the option Wi-Fi and press the configure button (Note: Even though it is labeled Wi-Fi, the Mac client can use the 802.1X configurations set here for wired connections) 

 

 

f) Enter a descriptive name and deselect auto join check box.

 

 

g) Select security type WPA/WPA2 Enterprise

 

 

h) On the bottom of the Wi-Fi page you will see 3 tabs: Protocols, Authentication, and Trust.  Under the Protocols tab, select the option for PEAP.  See figure 2 for a sample configuration.

i)  Click on the Trust tab and select the CA Certificate we uploaded earlier in step 2d.

j.) To save the profile to a file, press the Export button on the top left of the dialog.  You can now distribute the .mobilconfig  file to your Mac clients.

 

 











Figure 2 - iPhone Configuration Utility 


 

3. Installing the profile on Mac Clients

 

 

a) On the Mac client click the .mobileconfig file we created above in section 2.

 

b) Press Continue twice to confirm installation of the profile

 

c) The user will then be prompted to enter their network username and password.

 

d) Once the profile is correctly installed, when connected to an Ethernet port configured for 802.1X, a dialog will appear requesting the 802.1X configuration to use.  Select the newly added configuration and press Connect.  See figure 3.

 

 


Figure 3 - Dialog for selecting 802.1X Profile


You have successfully exported your CA root certificate and distributed and installed the .mobileconfig profile to your Mac users.  Mac users will now be able to connect to your 802.1X enabled switch ports.  
You must to post a comment.
Last modified
19:20, 2 Feb 2015

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1153

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case