MacOS X Lion and later do not allow the manual configuration of a 802.1X authentication profile. Rather a "profile" file containing the 802.1X details is pre-created by a system administrator, then the resulting file is used by the user to configure 802.1X.
Your system administrators will show you a website containing the iPhone configuration profile for Eduroam. Use Safari to browse to that file. Alternatively, use some other way to save the file to your machine and open it using Finder.
You are prompted to install the profile.
If you are not sure if this is the right file, then you can use Show profile to make sure the contents of the profile configure Wifi and add a certificate.
You are then asked to confirm your choices, and may need to give your user name to allow the computer's configuration to be altered.
You will then be asked to complete the individual parts of the profile, such as your user name. Use the user name format provided by your system administrator's documentation.
Once the profile is installed you are left in the profile configuration utility. There is nothing else to do, so you can exit that.
If you later need to change the configuration profiles then use Apple | System Preferences... and from the System subheading choose Profiles. You can use that configuration utility to add or delete profiles.
Download your site's eduroam Certificate Authority certificate.
This should be in DER format, if it is in PEM format then concert it to DER format using OpenSSL. MacOS X doesn't include OpenSSL, although you can install it from MacPorts with port install openssl.
$ openssl x509 -inform pem -in eduroam-example-edu-au-cacert.pem -outform der -out eduroam-example-edu-au-cacert.der
On a machine using MacOS X Lion or later, download and install Apple's iPhone Configuration Utility.
Start the iPhone Configuration Utility by selecting Applications | Utilities | iPhone Configuration Utility.
Create a new configuration profile by highlighting Configuration profiles and pressing New.
Now load the Eduroam CA certificate into the profile by selecting Credentials | Configure and selecting the file containing the CA certificate (in our example eduroam-example-edu-au-cacert.der).
Now do the bulk of the configuration by selecting Wifi | Configure and completing the form.
| Wifi | |
|---|---|
| Service Set Identifier (SSID) | eduroam |
| Security Type | WPA/WPA2 Enterprise |
| Protocols | |
|---|---|
| Accepted EAP Types | TTLS |
| Inner authentication (for TTLS) | PAP |
or
| Protocols | |
|---|---|
| Accepted EAP Types | PEAP |
or
| Protocols | |
|---|---|
| Accepted EAP Types | TTLS, PEAP |
| Inner authentication (for TTLS) | PAP |
The choice of TTLS or PEAP or both depends on which EAPs your RADIUS server and authentication backend support.
| Authentication | |
|---|---|
| Username | Leave this blank, then the installer of the profile will be prompted for their user name |
| Use Per-Connection Password | Y |
| Outer Identity | anonymous@example.edu.au |
The outer authentication should end in your site's domain name. "anonymous" is a common username, it doesn't have to be a real user-name as the outer identity is used for routing the Eduroam authentication request to the correct RADIUS server – it is the inner identity which is used for authentication.
| Trust | |
|---|---|
| Trusted Certificates | example.edu.au |
This is the certificated which we loaded into the profile earlier.
Finally, export the profile to a file by highlighting the profile and pressing Export. I have chosen not to sign the configuration, so that any user can install it.
You are then prompted for a filename.
In this example I used the name eduroam-example-edu-au. This created the file eduroam-example-edu-au.mobileconfig. This is a XML file and you can use a text viewer to ensure that the parameters look acceptable.
The simplest way to distribute the profile is to serve it from the organisation's website. You should only allow members of your organisation to download the file, but enterprise websites can easily limit access to authenticated users.
A MIME type for files with the .mobileconfig MIME type may need to be added to the web server. These files should be served with the MIME type "application/x-apple-aspen-config". Here's the result of our example, served with the correct MIME type: eduroam-example-edu-au.mobileconfig
Users will be prompted for their user name. You should provide your users with the format of the expected response. The common possibilities are:
The acceptable possibilities will depend on the back-end authentication attached to your site's Eduroam RADIUS server.
If you run multiple authentication systems then let your users know which one your Eduroam uses so that they know which password they should use.