Help

802.1x authentication for non-AD bound macs

dennielle
New Contributor

Posted on ‎10-11-2019 10:54 AM

Hi.

need help.

any idea how to configure 802.1x authentication for non-AD bound macs?

0 Kudos
5 REPLIES 5

merps
Contributor III

Posted on ‎10-11-2019 11:14 AM

We do this using a configuration profile with a SCEP payload and a Network payload.
Network payload references the SCEP cert as identity certificate and is set to connect with WPA2 Enterprise.

0 Kudos

jameson
Contributor II

Posted on ‎10-13-2019 12:59 AM

Or use ADCS - Works fine

0 Kudos

talkingmoose
Moderator
Moderator

Posted on ‎10-13-2019 08:07 AM

Binding to Active Directory isn't a requirement for 802.1x authentication, however, some network administrators may use Active Directory as a "record of truth" to verify devices are owned by the organization before allowing them to connect to the network. If that's the case, binding may be the only option in order to get a device record into Active Directory.

0 Kudos

bcbackes
Contributor III

Posted on ‎03-02-2021 11:55 AM

Resurrecting this thread. I'm looking to move away from AD binding, however, it appears that binding places a certificate in the keychain that appears to be used for 802.1x authentication. I'm trying to find out what options are available for getting off of binding and still being able to connect to 802.1x internal networks. Not to mention, can that workflow be added to a prestage enrollment?

0 Kudos

alexjdale
Valued Contributor III

Posted on ‎03-02-2021 12:13 PM

You definitely don't need an AD bind to authenticate with 802.1x. You can simply use the SCEP/ADCS certificate in a network profile, but your back-end auth system might need to validate the device record in AD. We leveraged write-back from Azure for this, so our Macs need to be registered with Intune/AAD and compliant for network auth.