Configuring MacOSX Leopard (v10.5) wireless client for PEAP+MSCHAPv2 (v3.0, 27th Feb 2014)

Described here are the steps involved in configuring the MacOSX v10.5 (aka Leopard) wireless client to use eduroam, authenticating via PEAP+MSCHAPv2. Your home site will be able to tell you whether PEAP+MSCHAPv2 is the appropriate authenticiation method that you should use.

Wherever you see the icon in the instructions below you can click on the text beside it to display further information and click on it again to hide the detailed text once more. Click on an image to open a larger version in a new browser window.

Information you will need

To complete these instructions you'll need some information specific to your home site/organisation, plus your own credentials, as listed below. If any of the details in your wifi profile are incorrect then your authentication will fail and you will not gain wifi access via eduroam. The IT department of your home site will be able to provide you with these details:

Information requiredSample string in the instructions below
Your home site's domain name as would appear in, for example, your e-mail address e.g. ucd.iemysite.ie
[OPTIONAL] The name of the CA certificate used by your home site for eduroam. You will not require this if your site is using a public CA which is already defined on your iPhone.Cybertrust Educational CA
The name on the SSL certificate presented by the authentication server at your home site e.g. tweedledum.ucd.iecertname.mysite.ie
The username you use to authenticate against your home account. Note the inclusion of your domain name e.g. jsoap@ucd.iemyname@mysite.ie
The password you use to authenticate against your home account.mypassword

Configuration instructions

The instructions below are broken into two sections:

Notes on the MacOSX Leopard wireless client

Create a wifi profile

Follow these steps to create your eduroam wifi profile:

  1. Click on the wireless icon (in the menu bar at the top of the screen).
    Select Open Network Preferences....
    Select Airport and click Advanced...
  2. Click on the 802.1X tab.
    Click on + and select Add User Profile.
  3. Define the profile details:
    Profile name: eduroam
    User Name: myname@mysite.ie
    Password: mypassword
    Wireless Network: eduroam
    Authentication:Select the tickbox beside PEAP and un-select all the others.

    Further info on credential settings

  4. Select PEAP and click Configure....
    Enter details as follows:
    Outer identity: anonymous@mysite.ie

    Click OK

  5. Click OK at the new profile window.
    Click Apply in the Network window.
    Highlight Airport and click Advanced... once more
    Click on + to add eduroam as a preferred network.
  6. Define the eduroam network details:
    Network Name: eduroam
    Security: Select WPA2 Enterprise
    802.1X:Select eduroam, which should cause most/all of the remaining fields to auto-fill
    User Name: myname@mysite.ie
    Password: mypassword
    Select Remember this network

    Further info on network details

    Click Add

  7. You can make eduroam your preferred network by dragging the eduroam entry to the top of the list of preferred networks.
    Click OK
    Click Apply

Your wireless client is now configured to avail of eduroam and should connect automatically when at a site where the eduroam service is available.

Using eduroam for the first time

When you use your new eduroam profile for the first time you will be required to verify the details of the authentication server you are talking to, as follows:

  1. A "Verify Certificate" pop-up window will display on your screen.
    Click Show Certificate
  2. Compare the details shown against those certificate details provided by your home site, as described earlier:

    If CA certificate name (in the upper pane) matches Cybertrust Educational CA and SSL certificate name (in the lower pane) matches certname.mysite.ie, then do the following to proceed with your wifi connection:
    Select Always trust "certname.mysite.ie"
    Click Continue

    Otherwise, click Cancel to disconnect from this potentially fake server and report the incident to your home site as soon as possible.

If you follow the instructions above then this manual verification step will happen once only, and on subsequent connections to eduroam you will not need to repeat this verification process.

Further info on certificate verification