Configuring iPhone wireless client for TTLS+PAP (v3.0, 27th Feb 2014)

Described here are the steps involved in configuring the wifi client of the iPhone (and similar Apple devices) to use eduroam, authenticating via TTLS+PAP. The same process may be used for MacOSX v10.8 (Mountain Lion) and MacOSX v10.9 (Mavericks). Your home site will be able to tell you whether TTLS+PAP is the appropriate authentication method that you should use.

Wherever you see the icon in the instructions below you can click on the text beside it to display further information and click on it again to hide the detailed text once more. Click on an image to open a larger version in a new browser window.

Information you will need

To complete these instructions you'll need some information specific to your home site/organisation, plus your own credentials, as listed below. If any of the details in your wifi profile are incorrect then your authentication will fail and you will not gain wifi access via eduroam. The IT department of your home site will be able to provide you with these details:

Information required	Sample string in the instructions below
Your home site's abbreviated name e.g. UCD	mysite
Your home site's domain name as would appear in, for example, your e-mail address e.g. ucd.ie	mysite.ie
[OPTIONAL] The name of the CA certificate used by your home site for eduroam. You will not require this if your site is using a public CA which is already defined on your iPhone.	Cybertrust Educational CA
[OPTIONAL] A file containing the actual CA certificate used by your site for eduroam. You will not require this if your site is using a public CA which is already defined on your iPhone.	cacert.crt
The name on the SSL certificate presented by the authentication server at your home site e.g. tweedledum.ucd.ie	certname.mysite.ie
The username you use to authenticate against your home account. Note the inclusion of your domain name e.g. jsoap@ucd.ie	myname@mysite.ie
The password you use to authenticate against your home account.

Configuration instructions

The instructions below are broken into several sections:

• Generating a wifi profile for an iPhone - describes creating an iPhone wifi profile for eduroam.
• Installing the wifi profile on an iPhone - describes installing the eduroam profile on an iPhone.
• Using eduroam on an iPhone - describes how to use the profile to connect via eduroam.

Notes on the iPhone wireless client

Generating a wifi profile for an iPhone

You generate a profile using the iPhone Configuration Utility which is available to download for free from the Apple support website via the following link: iPhone Configuration utility. There is one version of the software available for MacOSX and another available for Windows. The MacOSX version is described here (with some references to the Windows version where it differs significantly), but the Windows version is generally functionally the same. Download and install the application software.

1. Download and install the latest version of the iPhone Configuration utility software.
   
   
2. If your home site has provided you with a file containing a CA certificate then you will need to install it here, otherwise skip to the next step.

   Installing the CA certificate

   Installing the CA Certificate

   The process of installing the certificate differs between the MacOSX and Windows versions of the iPhone Configuration Utility. In both cases, you will need a copy of the X.509 CA certificate in a file with .cer, .crt, or .der extension.

   For the MacOSX version: Simply copy the CA certificate file, cacert.crt, onto the machine hosting the iPhone Configuration Utility. You can then select the file directly in a later step.

   For the Windows version: You must first install the CA certificate into the local Personal certificate store (do this as the same user you will run the iPhone Configuration Utility as). Double-clicking on the certificate file, cacert.crt, will invoke a wizard which lets you install the certificate to a local certificate store of your choice. You can verify that the certificate is installed by running MMC (mmc.exe), adding the "Certificates" snap-in, and browsing to the Personal store to see what certificates exist there.

   Further info on CA certificate

   CA Certificate

   As described in a later step, you must supply the details of the SSL certificate of your home authentication server as part of the eduroam profile. These details include the identity of the Certificate Authority (CA) that signed the server certificate. The iPhone comes with a list of public CA's already installed (this list, for iOS 4.x, is available here) so if your site's certificate is signed by one of those CA's then you don't need to explicitly refer to that CA in your eduroam profile. However, if you wish to explicitly identify an intermediate CA, or your server's certificate is signed by a private CA, then you should install that CA's certificate in the profile.

3. Open the application:
   
4. Select Configuration Profiles to manage your profiles, and click the New button to add a new profile for eduroam.

   Within the new profile select General in the middle pane and fill in the fields as follows:
   

   Name eduroam Identifier com.mysite.profile.eduroam Organization Mysite Description Mysite WiFi profile for eduroam. Security Always

5. If you installed a CA certificate, provided by your home site, in an earlier step then you must select it here, otherwise skip to the next step.

   Selecting the CA certificate

   Selecting the CA Certificate

   Select Credentials in the middle pane to specify the CA certificate used by your home site. The sample picture below shows the results of adding the "Cybertrust Educational CA" intermediate certificate.

   For the MacOSX version: Click Configure in the rightmost pane, browse to the local directory where you stored the file cacert.crt earlier, and select the file. The name of the CA Certificate, Cybertrust Educational CA, should appear in the right pane. For the Windows version: Click Configure in the rightmost pane and you will be presented with a list of the certificates available in your local Personal certificate store. Select the appropriate certificate, Cybertrust Educational CA, and click Choose.

6. Select Wi-Fi in the middle pane and click Configure in the rightmost pane. Define the wifi profile details:
   

   Service Set Identifier (SSID) eduroam Security Type Select WPA/WPA2 Enterprise Password Leave blank Accepted EAP Types Tick TTLS only Inner Authentication Select PAP

7. Click on the Authentication tab in the rightmost/Wi-Fi pane, and define the outer identity details:
   

   Username Leave blank Outer identity anonymous@mysite.ie

   Further info on outer identity

   Outer Identity

   Within the Authentication tab, you can define the user's username and anonymous identity. If you are generating a profile for use in your device only, then you can fill in your own username here. Alternatively, if you are creating a profile for use by multiple users of your site, then leave the username field blank as shown in this example so that the user is prompted to enter their username when they first use the profile (the username will then be saved with the profile on the user's iPhone). In both cases the same generic anonymous identity can be used. Your home site will be able to advise you of the values that you should substitute in the fields below.

   Note: The option to cache the user password is chosen here by not selecting the Use Per-Connection Password setting. As a result, when the user first uses this profile they will be prompted to enter their password which will then be saved with this profile on their iPhone for use in subsequent sessions. You should consider whether this caching option is appropriate for you/your site, and if in doubt then opt to not have the user credentials cached (by leaving the username field in the profile empty and by ticking Use Per-Connection Password) so that the user is prompted for them each time.

8. Click on the Trust tab in the rightmost/Wi-Fi pane, and define the certificate trust details:
   

   Trusted Certificates If you installed a CA certificate for your home site in earlier steps, then select it here from the list shown, otherwise leave this box blank. This example shows Cybertrust Educational CA selected. Trusted Server Certificate Names Click on the + button to add a new entry, double click the new entry and type in the certificate name of certname.mysite.ie and hit the enter key. Unselect Allow Trust Exceptions

   Further info on certificate trust

   Certificate Trust

   Within the Trust tab, define the certificate details for your site. These identify the details of the SSL certificate on your home authentication server, and are essential in order to prevent the wireless client from sending your credentials to a fake server. Your home site will be able to provide you with the necessary details, which you should substitute as appropriate below (the image below shows sample values for the fields, which you will need to replace with the values for your home site).
   
   If you wish to prevent the iPhone user from accepting any certificate other than the one you have defined here, then unselect the Allow Trust Exceptions option as shown. This is recommended to protect against a user unwittingly being enticed into accepting a fake certificate.

Your profile is now created and you are ready to install it on your iPhone.

Installing the wifi profile on an iPhone

There are a number of ways of installing the newly generated profile on an iPhone. These are documented fully within Apple's own documentation but they briefly consist of:

• Install to a USB-connected device:
  
  1. Connect the iPhone to a USB port on your computer. The device should appear in the Devices list in iPhone Configuration Utility.
  2. Select the device, then click the Configuration Profiles tab.
  3. Select the eduroam configuration profile from the list, and click Install.
  4. On the device, tap Install to install the profile.
• Install via downloading the profile from a website.

  Further info on installing profile via website

  Installing Profile From A Website

  Note that this method requires that you already have Internet access from the iPhone so that you can access the site on which the eduroam profile is stored.

  1. In order to transfer the newly created eduroam profile to an iPhone via email or web you must first export it to a file. Within the iPhone Configuration Utility, select the eduroam profile from the list of profiles under Configuration Profiles and click the Export button.
     
     In the example shown here, "Security" is set to None, meaning that this profile will not be signed. As an alternative you can choose to sign the profile but subsequent changes to the profile must then be made from this very same machine. Having selected your option, click Export... and save the file with a name of your choice, such as "mysite-eduroam-profile" - it will be written to disk as a text (XML) file called "mysite-eduroam-profile.mobileconfig".
     

     Security Select None

  2. Transfer the profile file to an appropriate area of the website from which users are to download it. The file must not be compressed and the filename suffix must be .mobileconfig in order for an iPhone to be able to recognise and use it. In addition you must add an appropriate MIME type to the web server. The means of doing this differs from one web server to another, but on Apache it is done by adding the following line to the available mime types (typically defined in the Apache mime.conf file but could be defined elsewhere depending on your Apache config) and restarting Apache:
     
     

     AddType application/x-apple-aspen-config .mobileconfig

     
     
  3. Circulate the URL of the config file to your iPhone users (by SMS, by having them browse to it via your site's public website, etc.). When they access the file, the iPhone will recognise it as a profile and initiate the steps for installing and activating the profile.
     The iPhone will warn that the profile is "Unsigned", but the user should proceed with the installation by clicking on the Install button. An option is given to view the details of the profile and it is recommended that the user do so to satisfy themselves that the profile being installed is the correct one by matching the content against what their home site advises they should see.
     The user may also be warned that "the authenticity of profile name cannot be verified" - use the Install Now button to acknowledge the warning and continue with the install.

• Install by receiving the profile via e-mail. The profile needs to be stored in a file whose details are the same as those for a profile downloaded from a website.

Using eduroam on an iPhone

Once the profile is installed on your iPhone, it can connect to an eduroam wifi network.

1. The first time your iPhone connects to an eduroam wifi network you may be warned that the certificate certname.mysite.ie is "not verified". Click Accept. You will then be asked to provide your username and password - note that your username must be of the form myname@mysite.ie as prescribed by your home site.
   

   Further info on certificate verification

   Certificate Verification

   Your iPhone is trying to verify the identity of your home authentication server, and is asking you to confirm that it may pass your credentials to the server it is currently talking to. The More Details button allows you to view the contents of the SSL certificate presented by the server that your iPhone is talking to. You should satisfy yourself that this is indeed the certificate of the authentication server of your home site (your home site can provide details of what you should expect to see), otherwise you risk supplying your credentials to a fake server.

2. On subsequent connections to eduroam, your cached username and password will be re-used if you enabled caching of credentials in the profile (caching is enabled if you followed the instructions above). Otherwise you will be prompted to re-enter your credentials each time you connect.
   Whether credential caching is enabled or not, you will not be required to re-verify the SSL certificate of your home authentication server on subsequent use of this profile.