Configuring MacOSX Tiger (v10.4) wireless client for PEAP+MSCHAPv2 (v3.0, 27th Feb 2014)
Described here are the steps involved in configuring the MacOSX v10.4 (aka Tiger) wireless client to use eduroam, authenticating via PEAP+MSCHAPv2. Your home site will be able to tell you whether PEAP+MSCHAPv2 is the appropriate authenticiation method that you should use.
Wherever you see the 
icon in the instructions below you can click on the text beside it to display further information and click on it again to hide the detailed text once more. Click on an image to open a larger version in a new browser window.
Information you will need
To complete these instructions you'll need some information specific to your home site/organisation, plus your own credentials, as listed below. If any of the details in your wifi profile are incorrect then your authentication will fail and you will not gain wifi access via eduroam. The IT department of your home site will be able to provide you with these details:
| Information required | Sample string in the instructions below |
|---|
| Your home site's domain name as would appear in, for example, your e-mail address e.g. ucd.ie | mysite.ie |
| [OPTIONAL] The name of the CA certificate used by your home site for eduroam. You will not require this if your site is using a public CA which is already defined on your iPhone. | Cybertrust Educational CA |
| The name on the SSL certificate presented by the authentication server at your home site e.g. tweedledum.ucd.ie | certname.mysite.ie |
| The username you use to authenticate against your home account. Note the inclusion of your domain name e.g. jsoap@ucd.ie | myname@mysite.ie |
| The password you use to authenticate against your home account. | mypassword |
Configuration instructions
The instructions below are broken into two sections:
Notes on the MacOSX Tiger wireless client
Notes on the MacOSX Tiger wireless client
- The means by which the MacOSX Tiger wireless client verifies the identity of the home authentication server is to ask the user to review the SSL certificate presented by the server and to indicate whether it should be trusted. For this verification to be effective, the user must know what certificate details they should expect to be presented with and must take the time to check those against what the wireless client sees.
Create a wifi profile
Follow these steps to create your eduroam wifi prodile:
- Click on the wireless icon
(in the menu bar at the top of the screen).
Select Open Network Preferences....
Click 802.1X (this button might not be immediately visible in which case you'll have to click on the rightmost arrow icon to see it, as shown in this image).
- Click Configuration: pull-down menu.
Select Edit Configurations...
- Click + in bottom left corner of window.
Define the profile details:
| Description: | eduroam |
| Network Port: | Airport |
| User Name: | myname@mysite.ie |
| Password: | mypassword |
| Wireless Network: | eduroam |
| Authentication: | Select the tickbox beside PEAP and un-select all the others. |
|
|
Further info on credential settings
Credential Settings
Your credentials consist of your username, in a form much like an e-mail address, and your password. In this example, the option to cache credentials is chosen by saving them with the profile, but you should consider for yourself whether this option is appropriate for you, and if in doubt then opt to not have your credentials cached (by leaving the username and password fields in the profile empty). If your credentials are not cached then you will be prompted for them each time you use eduroam wifi.
- Select PEAP and click Configure...
Enter details as follows:
| Outer identity: | anonymous@mysite.ie |
|
|
Click OK
- To make eduroam your preferred network, within the left pane drag the eduroam entry to the top of the list of networks/configurations.
Click OK
Your wireless client is now configured to avail of eduroam and should connect automatically when at a site where the eduroam service is available.
Using eduroam for the first time
When you use your new eduroam profile for the first time you will be required to verify the details of the authentication server you are talking to, as follows:
- A "Verify Certificate" pop-up window will display on your screen.
Click Show Certificate
- Compare the details shown against those certificate details provided by your home site, as described earlier:
|
If CA certificate name (in the upper pane) matches Cybertrust Educational CA and SSL certificate name (in the lower pane) matches certname.mysite.ie, then do the following to proceed with your wifi connection:
Select Always trust "certname.mysite.ie"
Click Continue
Otherwise, click Cancel to disconnect from this potentially fake server and report the incident to your home site as soon as possible. |
 |
If you follow the instructions above then this manual verification step will happen once only, and on subsequent connections to eduroam you will not need to repeat this verification process.
Further info on certificate verification
Certificate Verification
When your client connects to eduroam, it will try to verify the identity of your home authentication server before it passes your credentials to the server for validation. The wireless client relies upon the SSL certificate presented by your home authentication server in order to carry out this verification. The wireless client gives you the opportunity to look at this certificate and to decide whether to trust the server presenting the certificate, or not.
In order to protect your credentials, you must take care to satisfy yourself adequately that the certificate presented is indeed that of your home server. You are presented with details consisting of the name on the certificate and the name of the CA that signed the certificate. Your home site will be able to provide you with the details that you should expect to see here and it is essential that you check them carefully. Should you wish to check further details of the certificate, click on Details in the second window above.
If the details presented do not match what you are expecting, then your wireless client may be talking to a fake server, whose purpose is to capture the credentials of the unwary, and you should disconnect and report the incident to the IT staff of your home site so that it can be investigated. Otherwise, if you have satisifed yourself that the certificate details presented match what you should expect to see, then proceed with the connection and your wireless client will pass your credentials to the server for verification.
