Skip to main content
This Library Item is available for Apple devices

What is 802.1X Authentication?

802.1X is a standard for controlling access to a network. It ensures that only authorized devices can connect, making your network more secure. This protocol is used in both wired (ethernet) and wireless networks.

How 802.1X Authentication Works

There are three main parts involved in 802.1X authentication:
  • Supplicant -This is the device (like your user’s Mac) that wants to join the network. It provides credentials to the authenticator.
  • Authenticator - This is a network device, such as a switch or access point, that controls access to the network. It checks the credentials and decides whether to allow the device to connect.
  • Authentication Server -Usually a RADIUS server, it verifies the credentials provided by the supplicant and tells the authenticator whether to grant access.
Iru uses MDM controls to configure your Mac computers with the required credentials to provide to the authenticator and authentication servers. Please work with your network team internally to determine your network requirements before configuring and deploying this Library Item.

Add an Ethernet Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Name the Library Item

Give the new Ethernet Library Item a Name.
2

Assign to Blueprints

Assign to your desired Blueprints.

Configure Authentication Settings

Use as Login Window Configuration

Using this configuration requires integration with a directory service. See this Apple support article for more information.
This setting uses credentials entered at the login window to authenticate to the network using 802.1X protocols. This is particularly useful in environments where user credentials are required as a network authentication method. When you enable this setting, Mac computers will authenticate to the network using the credentials provided at the login screen, meaning they will not have network connectivity before login.

Accepted EAP Types

Select the Accepted EAP Types your network supports. You may select more than one and must set all the settings necessary for the selected EAP types. For more information on configuring specific EAP types, refer to our Configuring EAP (Extensible Authentication Protocol) Types support article.
Many older encryption protocols are no longer considered secure. Use the most up-to-date authentication and encryption supported by your network.

Configure an Identity Certificate

You can configure an identity certificate using AD CS, SCEP, or by uploading a PKCS #12 file. For instructions on configuring identity certificates, see our Using Identity Certificates for 802.1X Authentication support article.

Configure SCEP

When utilizing SCEP for identity certificates, ensure that SCEP is deployed inside the Ethernet Library Item, not as a separate SCEP Library Item.

Configure Certificate Trust Settings

Specifying trusted certificates in the Ethernet Library Item is not recommended. If certificates are renewed or changed, you must redeploy the entire Ethernet profile, potentially causing devices to disconnect from the network. Root and intermediate certificates should be deployed as separate Certificate Library Items, and all of the necessary certificate servers need to be listed in the Specify server certificate names section.
Install the trusted certificate chain for your RADIUS server(s) using a separate Certificates Library item. Then, specify the names of those certificates in the Ethernet Library item under Specify server certificate names. For more information, see Apple’s guide, Connect Apple devices to 802.1X networks. Most enterprise environments require that devices trust the 802.1X authentication server(s), typically a Remote Access Dial-In User Server (RADIUS). The Certificate trust settings allow you to configure which certificates presented by the server devices will trust. If a device does not trust the authentication server(s), the user will be prompted to trust it.
1

Specify trusted certificates (optional)

Select Specify trusted certificates if you want to provide certificates for the configured devices to trust. Then upload the certificates in .cer or .crt format.
2

Specify server certificate names (optional)

Select Specify server certificate names if you want to provide DNS names of certificates devices should trust. Then enter their DNS names — wildcards are accepted.
3

Allow trust exceptions (optional)

Select Allow trust exceptions if you want to ask the user whether to trust the authentication server if the presented certificate fails validation. This option is deprecated in newer versions of macOS and iOS.

Configure Proxy Settings

Configure devices to use a network proxy by configuring the settings in the Proxy section.
1

Enable Proxy management

To configure network proxy settings, toggle the Proxy section to Managed.
2

Configure Automatic proxy

To configure devices to use a Proxy Auto-Configuration (PAC) file, select Automatic for Proxy type.
  • Specify the Proxy PAC URL where devices can find the PAC file.
  • If you want devices to attempt to connect directly to destinations when the PAC file is not available, select Proxy PAC fallback allowed.
3

Configure Manual proxy

To configure devices to use a specific proxy, choose Manual for Proxy type.
  • Provide the Proxy server and port.
  • If the proxy requires authentication, provide the Proxy username and Proxy password.