How to configure 802.1X EAP-TLS on macOS

Question

I need to learn how to configure macOS to use EAP-TLS authentication without using an MDM.

I only have one Mac device on the network, which is used by the owner. I don't want to use third-party software.

I just need to know how to import the certificates and how to configure a wireless EAP-TLS connection manually.

My network only supports Windows, uses AD CS to create certificates and provision the stations via policy. Since it's a Mac, I'll do this routine manually.

Answer 1

Background: settings like this need to be configured with a "Configuration Profile" -- basically, an XML file with settings in a specific format, and a .mobileconfig extension. Usually, you'd enroll the device in an MDM service, and then that'd send config profiles to it over the Internet, but you can also just put the file directly on a Mac (or iPhone or iPad), and install it manually.

I don't have a way to properly test this, but I think the following procedure will work. To start, you'll need the Apple Configurator app, the client certificate you want to use (generally a .p12 or .pfx file, i.e. including the private key), and the authentication server's certificate (a .crt or .cer file, not including the private key). If you've already installed those certificates in the Mac's keychains, you might need to remove them (with the Keychain Access utility) to avoid a conflict. I don't think there'd be a problem, but since I can't test this... it might be safest to remove them just in case.

You'll also need a program that can edit XML files, to tweak the profile before installing it. Generally, programming-oriented text editors are fine for this (i.e. something that doesn't "helpfully" add formatting junk to the file, or get upset about that weird ".mobileconfig" extension). Unix command-line editors like nano and vi are good options. If you prefer a GUI editor, I recommend BBEdit -- even in the free demo mode, it's great for things like this (but get the web-download version, not the App Store version, which has some features removed to comply with App Store security policies).

To begin, run Apple Configurator. Most of its interface has to do with managing iPhones and such, essentially acting as a local-only MDM. Ignore all that. From the File menu, choose New Profile.

You'll get a window with a bunch of different categories of configuration settings in the left sidebar. You'll only need three of these: General (which is actually properties of the profile itself), Certificates, and Wi-Fi.

In the General section, enter an appropriate name for the profile (this profile will be specific to this one client Mac, so it should probably include the Mac's device name/serial number/asset tag/other unique ID). If you're creating it on the Mac it'll be applied to, the default Identifier is probably fine; otherwise, choose something similarly unique. Put in your Organization (i.e. company) name, and whatever Description and Consent Message you want.

Select Certificates in the sidebar, then click the Configure button in the right panel. That should give you an Open File dialog. Open both the client and server certificates. If you can't select both at once, open one, then click the "+" button in the top right of the pane and add the second. If the client cert is password-protected, there'll be a field under it asking for the password; it's safest to leave it blank (it'll prompt you for it later, when you install the profile).

Select Wi-Fi in the sidebar, and click Configure. Enter the network's SSID (network name), make any other relevant changes, then from the Security Type pop-up menu choose an appropriate Enterprise option. An "Enterprise Settings" section will appear under that, with Protocols and Trust tabs.

In the Protocols tab, select the TLS EAP type, and you'll get an Identity Certificate option under that. Choose the client cert from the pop-up menu there.

Switch to the Trust tab, and in Trusted Certificates, check the box for the server certificate. I don't think you need to enter anything under Trusted Server Certificate Names.

Note: there should be a red "1" next to Certificates in the sidebar, because the client cert's password wasn't entered. That's not a problem. If there's a bigger number, or red numbers by any of the other config sections, that means there's something that matters missing and you should go back and check. It'll point out missing settings with red arrows.

At this point, the config profile should be as done as Apple Configurator can make it. Choose File menu > Save, save the file wherever you want (note: the .mobileconfig extension will be hidden by default, but it's there). It'll complain that there's an error and it may not work (again, because of the missing password), but tell it to save anyway.

There is one important thing missing from the profile at this point: the payload scope. In macOS, configuration profiles can apply either to just a single user, or to the entire system. Apple Configurator is intended to configure iOS and tvOS devices, which don't have this distinction, so it doesn't have a way to specify it. macOS will default to applying it to the user scope, but from your description you want it to apply to the system (entire computer) scope. So you need to edit the file.

Open the .mobileconfig file in your chosen editor, and add <key>PayloadScope</key><string>System</string> at the top level. It should look something like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>PayloadScope</key>
        <string>System</string>
        <key>ConsentText</key>
        ...

[EDIT:] It looks like you also have to tell it to apply the Wi-Fi config at the system level, not just while users are logged in. This'll involve finding the part of the XML file containing that part of the configuration. The simplest way is to look for the SSID_STR key (and its string value), and then add a new <key>SetupModes</key><array><string>System</string></array> entry right below that. It should look something like this:

        ...
        <key>SSID_STR</key>
        <string>Some Wi-Fi Name Here</string>
        <key>SetupModes</key>
        <array>
            <string>System</string>
        </array>
    </dict>
    ...

(Note: when I tested this, the SSID_STR item was the last thing in the dict of settings for Wi-Fi, so there was a close-dict tag right below it. Yours might be in a different order, in which case there'd be more key entries below. That's not a problem, just the same stuff in a different order.)

Now the config profile is ready. Open System Settings (under the Apple menu). The Profiles section may not be shown by default, so you'll need to either choose it from the View menu, or use the Search field to find it. Either way, select the Profiles settings.

Under the list of installed profiles (which'll probably be empty), click the "+" button, and choose the config profile you just created. I'll show you a summary of what the profile contains, and give you several chances to back out of installing it. Click Continue/Install/etc as many times as necessary. At some point, it should prompt you for that missing password to the client certificate and also for the local administrator account password; enter those and continue.

When it gets done prompting you, the profile should be listed under "Device" in the installed profiles list (if it's under "User", the scope change didn't work; remove it with the "-" button, check your edit, and try again). If it doesn't connect to the Wi-Fi network immediately, you might need to restart the Mac for the new settings to fully take effect.

BTW, I think there's actually a way to get the Mac to pull its own client certificate from the Active Directory certificate service, and automatically apply that to the Wi-Fi configuration. But I'm not sure exactly how to set that up, and for a single Mac (which you've already created a client cert for) it's probably not worth worrying about.