Configuring iPhone wireless client for PEAP+MSCHAPv2 (v3.0, 27th Feb 2014)

Described here are the steps involved in configuring the wifi client of the iPhone (and similar Apple devices) to use eduroam, authenticating via PEAP+MSCHAPv2. The same process may be used for MacOSX v10.8 (Mountain Lion) and MacOSX v10.9 (Mavericks). Your home site will be able to tell you whether PEAP+MSCHAPv2 is the appropriate authentication method that you should use.

Wherever you see the icon in the instructions below you can click on the text beside it to display further information and click on it again to hide the detailed text once more. Click on an image to open a larger version in a new browser window.

Information you will need

To complete these instructions you'll need some information specific to your home site/organisation, plus your own credentials, as listed below. If any of the details in your wifi profile are incorrect then your authentication will fail and you will not gain wifi access via eduroam. The IT department of your home site will be able to provide you with these details:

Information requiredSample string in the instructions below
Your home site's abbreviated name e.g. UCDmysite
Your home site's domain name as would appear in, for example, your e-mail address e.g. ucd.iemysite.ie
[OPTIONAL] The name of the CA certificate used by your home site for eduroam. You will not require this if your site is using a public CA which is already defined on your iPhone.Cybertrust Educational CA
[OPTIONAL] A file containing the actual CA certificate used by your site for eduroam. You will not require this if your site is using a public CA which is already defined on your iPhone.cacert.crt
The name on the SSL certificate presented by the authentication server at your home site e.g. tweedledum.ucd.iecertname.mysite.ie
The username you use to authenticate against your home account. Note the inclusion of your domain name e.g. jsoap@ucd.iemyname@mysite.ie
The password you use to authenticate against your home account.

Configuration instructions

The instructions below are broken into several sections:

Notes on the iPhone wireless client

Generating a wifi profile for an iPhone

You generate a profile using the iPhone Configuration Utility which is available to download for free from the Apple support website via the following link: iPhone Configuration utility. There is one version of the software available for MacOSX and another available for Windows. The MacOSX version is described here (with some references to the Windows version where it differs significantly), but the Windows version is generally functionally the same. Download and install the application software.

  1. Download and install the latest version of the iPhone Configuration utility software.

  2. If your home site has provided you with a file containing a CA certificate then you will need to install it here, otherwise skip to the next step.

    Installing the CA certificate

    Further info on CA certificate

  3. Open the application:
  4. Select Configuration Profiles to manage your profiles, and click the New button to add a new profile for eduroam.

    Within the new profile select General in the middle pane and fill in the fields as follows:

    Name eduroam
    Identifier com.mysite.profile.eduroam
    Organization Mysite
    Description Mysite WiFi profile for eduroam.
    SecurityAlways

  5. If you installed a CA certificate, provided by your home site, in an earlier step then you must select it here, otherwise skip to the next step.

    Selecting the CA certificate

  6. Select Wi-Fi in the middle pane and click Configure in the rightmost pane. Define the wifi profile details:
    Service Set Identifier (SSID) eduroam
    Security TypeSelect WPA/WPA2 Enterprise
    PasswordLeave blank
    Accepted EAP TypesTick PEAP only
  7. Click on the Authentication tab in the rightmost/Wi-Fi pane, and define the outer identity details:
    Username Leave blank
    Outer identity anonymous@mysite.ie

    Further info on outer identity

  8. Click on the Trust tab in the rightmost/Wi-Fi pane, and define the certificate trust details:
    Trusted Certificates If you installed a CA certificate for your home site in earlier steps, then select it here from the list shown, otherwise leave this box blank. This example shows Cybertrust Educational CA selected.
    Trusted Server Certificate Names Click on the + button to add a new entry, double click the new entry and type in the certificate name of certname.mysite.ie and hit the enter key.
    Unselect Allow Trust Exceptions

    Further info on certificate trust

Your profile is now created and you are ready to install it on your iPhone.

Installing the wifi profile on an iPhone

There are a number of ways of installing the newly generated profile on an iPhone. These are documented fully within Apple's own documentation but they briefly consist of:
  • Install to a USB-connected device:
    1. Connect the iPhone to a USB port on your computer. The device should appear in the Devices list in iPhone Configuration Utility.
    2. Select the device, then click the Configuration Profiles tab.
    3. Select the eduroam configuration profile from the list, and click Install.
    4. On the device, tap Install to install the profile.
  • Install via downloading the profile from a website.

    Further info on installing profile via website

  • Install by receiving the profile via e-mail. The profile needs to be stored in a file whose details are the same as those for a profile downloaded from a website.

Using eduroam on an iPhone

Once the profile is installed on your iPhone, it can connect to an eduroam wifi network.

  1. The first time your iPhone connects to an eduroam wifi network you may be warned that the certificate certname.mysite.ie is "not verified". Click Accept. You will then be asked to provide your username and password - note that your username must be of the form myname@mysite.ie as prescribed by your home site.

    Further info on certificate verification

  2. On subsequent connections to eduroam, your cached username and password will be re-used if you enabled caching of credentials in the profile (caching is enabled if you followed the instructions above). Otherwise you will be prompted to re-enter your credentials each time you connect.
    Whether credential caching is enabled or not, you will not be required to re-verify the SSL certificate of your home authentication server on subsequent use of this profile.