EAP-TLS and OS X clients

Jaap Winius jwinius at umrk.nl
Wed Feb 20 14:49:07 CET 2013

Quoting A.L.M.Buxey at lboro.ac.uk:

> SSL certs can be in various formats. Ones that are 'usable'
> depends on the underlying code, but the useful types are
> usually PEM, DER (also known as CER) and P12....these are
> all active certs. CSR is a certificate signing request file
> and isn't a valid cert for client use. ... On OSX you need
> to ensure you have the CA installed - and TRUSTED!"

Thanks, Alan. That straightened some things out for me.

Eventually, though, it turned out that the most important issue was  
with OS X 10.7 (Lion). With this particular version of Apple's OS, the  
facility for adding enterprise network configurations is not as  
flexible as it once was. Now, if something different is required, a  
special (free) tool must first be obtained -- the iPhone Configuration  
Utility -- with which to create an XML profile that can then be  
applied. Not exactly what I was expecting, but that's the way it is.  
For anyone who might be interested, here's the set of instructions  
that I used:


If your school uses TTLS with PAP (LDAP backend) then yah, the auto  
connection with ethernet will not help you. That is because the  
default EAP type that is supported is TTLS MSCHAPv2 (which is a bit  
more secure that PAP --ya ya, I know it is not fool proof).

Anyway, all is not lost.

You have three choices on how to get an 802.1X profie that supports  
TTLS with PAP onto your Mac.
1. Download iPCU and create a .mobileconfig file
2. Buy Lion server and use Profile Manager
3. Create a .mobileconfig (xml file) from scratch

Options 2 and 3 are kind of a pain in the rear, so let's stick with option 1.

Please put on your learning hat now

**Please note this example is for a wired OR wireless 802.1X  
connection that requires TTLS and PAP for Lion clients**

1. Download and install the iPCU    http://support.apple.com/kb/DL851
2. Open the iPCU (the iPCU is install in Applications - Utilities)
3. In the right hand side click on Configuration Profiles.
4. Click on New. (upper left)
5. You will see a new profile with a bunch of payloads (general,  
passcode, restrictions, etc). Don't worry you do not need to fill most  
of these out.
6. Click on General and fill out a Profile Name, Identifier (they can  
be anything) the rest of the fields you can leave blank. I used spam  
and spam.
7. Now click on WiFi. Do be scared here. Lion can use WiFi profiles  
for Ethernet (it will just ignore the SSID field). Click configure.
7a. For SSID ..If your school has a wireless network that uses TTLS  
with PAP, fill in the SSID name (wireless network name) that your  
school uses. If your school does not use wireless, then just use an  
label (e.g. spam).
7b. Ignore the hidden network field (unless of course your school uses  
a hidden SSID and you want to use wireless for this connection).
7c. Security Type ..Again if this is for Ethernet, just use WPA/WPA2  
Enterprise. If this profile is going to be used for WiFi, then you  
need to find out what type of security your school uses. Most likely  
it will be WPA/WPA2 Enterprise (I hope).
7d. Once you choose WPA/WPA2 Enterprise you will see more options  
appear. Choose TTLS.
7e. Ignore EAP-FAST settings. Leave all boxes unchecked for EAP-FAST.
7f. For Inner Authentication choose PAP.
8. You will see three tabs, one for protocol (that you already filled  
out), one for Authentication and one for Trust. You can ignore trust  
unless you have the certificate from the radius server already loaded  
on your client. Don't worry if you do not have the cert, the Mac will  
load it (with your permission) during the first authentication. Ignore  
the Authentication tab for now.
9. Now look at the top left of the tool and choose Export
9a. for Security, just choose none (don't worry about signing it)
9b. Hit Export.
10. You will get a Save As dialogue box. Give the profile a name (like  
spam  or something) and choose where you would like to save the profile.
11. Now goto where you save your profile and double click it. System  
Prefs will launch and try to install the profile.
11a. Just hit continue and continue again.
11b. You will be prompted for "settings" which are the username and  
password. You can either just hit install (the eapol supplicant will  
ask you for your credentials during the authentication phase) or you  
can fill them out now. BE SURE TO INPUT THE CORRECT INFORMATION!!!!.  
If you insert a bad username or password into this field, it will get  
saved as a keychain entry (with bad info) and you will never be able  
to connect. The Mac will just silently fail authentication until you  
delete the keychain entry and do a fresh auth. Save yourself some  
trouble and leave the fields blank and just hit install.
11c. You will be prompted for your admin password to install the profile.
12. The profile should be installed now.
13. In system prefs, click show all then click network.
14. If you click on your Ethernet interface you should now have a  
nifty "connect" button now. Connect via Ethernet into the school's  
802.1X protect network and hit connect.

At this point you should get prompted for your credentials and then  
prompted to accept the RADIUS server's certificate.

You should be good to go now.

Here endith the lesson. Hope it works for you guys.


Source: https://discussions.apple.com/thread/3198156?start=0&tstart=0
See DrVenture's post of Sep 15, 2011 10:20 AM  (in response to zag0).

The utility is now available at: http://support.apple.com/kb/DL1465



More information about the Freeradius-Users mailing list