Connect Apple devices to 802.1X networks
You can securely connect Apple devices to your organization’s 802.1X network. This includes Wi-Fi and Ethernet connections.
Device | Connection method | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
iPhone | Wi-Fi Ethernet (iOS 17 or later) | ||||||||||
iPad | Wi-Fi Ethernet (iPadOS 17 or later) | ||||||||||
Mac | Wi-Fi Ethernet | ||||||||||
Apple TV 4K (3rd generation) Wi-Fi | Wi-Fi Ethernet (tvOS 17 or later) | ||||||||||
Apple TV 4K (3rd generation) Wi-Fi + Ethernet | Wi-Fi Ethernet (tvOS 17 or later) | ||||||||||
Apple Vision Pro | Wi-Fi |
During the 802.1X negotiation, the RADIUS server presents its certificate to the device supplicant automatically. The RADIUS server certificate must be trusted by the supplicant by either anchoring trust to a particular certificate or to a list of expected hostnames matching the certificate’s host. Even when a certificate is issued by a known CA and listed in the trusted root store on the device, it must also be trusted for a particular purpose. In this case the server’s certificate must be trusted for the RADIUS service. This is done either manually, when joining an enterprise network as the user is prompted to trust the certificate for the connected Wi-Fi network, or in a configuration profile.
It’s not necessary to establish a chain of certificate trust in the same profile that contains the 802.1X configuration. For example, an administrator can choose to deploy an organization’s certificate of trust in a standalone profile and can put the 802.1X configuration in a separate profile. This way, modifications to either profile can be managed independently of one another.
Among other parameters, the 802.1X configuration can also specify:
EAP types:
For user name–based and password-based EAP types (such as PEAP): The user name or password can be supplied in the profile. If they aren’t supplied, the user is prompted for them.
For certificate identity–based EAP types (such as EAP-TLS): Select the payload that contains the certificate identity for authentication. This can be an Active Directory Certificate payload (macOS only), an ACME payload, a PKCS #12 identity certificate (.p12 or .pfx) file in the Certificates payload, or an SCEP payload. By default, iOS, iPadOS, and macOS supplicants use the certificate identity common name for the EAP Response Identity it sends to the RADIUS server during 802.1X negotiation. For more information, see Certificate deployment methods using MDM payloads.
Important: For devices with iOS 17, iPadOS 17, macOS 14, or later, support was added for connections to 802.1X networks using EAP-TLS with TLS 1.3 (EAP-TLS 1.3).
Shared iPad EAP credentials: Shared iPad uses the same EAP credential for each user.
Trust:
Trusted certificates: If the RADIUS server’s leaf certificate is supplied in a Certificates payload in the same profile that contains the 802.1X configuration, the administrator can select it here. This configures the client supplicant to connect only to an 802.1X network with a RADIUS server presenting one of the certificates in this list. When configured in this way the 802.1X connection is cryptographically pinned to specific certificates.
Trusted server certificate names: Use this array to configure the supplicant to connect only to RADIUS servers presenting certificates that match these names. This field supports wildcards; for example, *.betterbag.com expects the certificate common names radius1.betterbag.com and radius2.betterbag.com. Wildcards provide administrators with more flexibility when changes to available RADIUS or certificate authority servers occur.
802.1X configurations for Mac
You can also use WPA/WPA2/WPA3 Enterprise authentication at the login window of macOS, so that the user logs in to authenticate to the network. The macOS Setup Assistant also supports 802.1X authentication with user name and password credentials using TTLS or PEAP. For more information, see the Apple Support article Use Login Window Mode for 802.1X authentication to a network.
The types of 802.1X configurations are:
User Mode: This mode, the simplest to configure, is used when a user joins the network from the Wi-Fi menu and authenticates when prompted. The user must accept the RADIUS server’s X.509 certificate and trust for the Wi-Fi connection.
System Mode: System Mode is used for computer authentication. Authentication using System mode occurs before a user logs in to the computer. System Mode is commonly configured to provide authentication with the computer’s X.509 certificate (EAP-TLS) issued by a local certificate authority.
System+User Mode: A System+User configuration is often part of a one-to-one deployment where the computer is authenticated with its X.509 certificate (EAP-TLS). After the user is logged in to the computer, they can join the Wi-Fi network from the Wi-Fi menu and enter their credentials. User credentials might be a user name and passphrase (EAP-PEAP, EAP-TTLS) or a user certificate (EAP-TLS). After the user has connected to the network, their credentials are stored in the login keychain and used to join the network on future connections.
Login Window Mode: This mode is used when the computer is bound to an on-premise local directory service such as Active Directory. When Login Window Mode is configured and a user enters their user name and passphrase at the login window, the user is authenticated to the computer and then to the network using 802.1X authentication. Login Window Mode passes the user name and password credentials only when the Login Window first appears. If the Mac goes to sleep and the WLAN controller idle session time expires, a Mac configured only with Login Window Mode must be restarted or the user must log out. The user can then enter their user name and password again.
Note: System Mode, System+User Mode (required for the System Mode configuration), and Login Window Mode require configuration by an MDM solution. Configure the Network payload settings with the desired Wi-Fi network settings, and apply in-scope to a device or device group for System Mode.
802.1X and Shared iPad
You can use Shared iPad with 802.1X networks. For more information, see Shared iPad and 802.1X networks.