802.1X Login Window Authentication with Mountain Lion

Since Lion the procedure for using 802.1X has changed, in this guide I will explain how to set this up using a Windows Server 2012 Domain Controller, the Casper Suite and a Mountain Lion Client.

This guide assumes you already have a functioning domain controller, Macs bound to this AD and 802.1X authenticated wireless network. In this guide I will be using the Casper Suite, but since OS X Profiles are pretty much the same no matter how you distribute them, most steps will be the same not matter what management suite you use.

Exporting Domain Controller Certificate

On the Windows Server, Open MMC and add the Certificates Snap-in by Navigating to the File Menu and Selecting Add/Remove Snap-in (alternatively you could just press CTRL+ M).

Screen Shot 2013-01-13 at 11.59.08 AM

Locate the Certificates Snap-in and click Add

Screen Shot 2013-01-13 at 12.03.12 PM

When prompted, select Computer Account , then click next and finish.

Now that the Certificates Snap-in has been added, navigate to Personal > Certificates. In here you will see your Certificate Authority certificate and your Domain Controller certificates, export the applicable certificate (the Domain Controller running NPS). This is one by right clicking on the Domain Controller, hovering over All Tasks and selecting Export.

Screen Shot 2013-01-13 at 12.11.56 PM

Click next through the wizard, make sure to copy the certificate to the machine you plan to create the profile with.


Profile Creation

As I said at the top, most of these steps will be the same no matter what management tool you use.

First, create a new computer level profile

Screen Shot 2013-01-13 at 12.15.52 PM

Next configure the Certificate payload, here you will upload your Domain Controller certificate

Screen Shot 2013-01-13 at 12.18.05 PM

Now we will configure the Network payload, enter your network SSID and select WPA / WPA2 Enterprise as the security type.

Select the appropriate EAP types for your environment and tick the Use Directory Authentication box

Screen Shot 2013-01-13 at 12.21.09 PM

Now select the Trust tab, select the certificate we uploaded in the certificate payload and enter the Trusted Server Certificate Names, this will be the FQDN of your Domain Controller.

Screen Shot 2013-01-13 at 12.23.35 PM

Now setup the correct scope, or manually deploy the profile to your target machines, once complete in the Networking System Preferences PrefPane you will find the 802.1X profile configured.

Screen Shot 2013-01-13 at 12.25.49 PM

Leave a Reply