Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: kesawi
kesawi Author
User level: Level 1
0 points

Add trusted server name and certificate to configuration profile for 802.1X EAP-TLS authentication

I run a small network which uses WPA2-Enterprise WiFi with 802.1X EAP-TLS authentication. I don't have access to Mac OS X and have successfully generated mobileconfig profiles using a text editing which allow the iOS devices to connect to my wifi network using EAP-TLS authentication. However, when the device connects it still prompts the user to verify and accept the identity of the RADIUS server.


Reading through the Configuration Profile Reference my understanding is that I can use the 

TLSTrustedServerNames and PayloadCertificateAnchorUUID
keys in the EAPClientConfiguration Dictionary to prevent the device from asking if the certificate is to be trusted. However when I add these keys to the configuration profile the devices will not connect to the wireless network. I've tried a combination of using both 
TLSTrustedServerNames and PayloadCertificateAnchorUUID
keys individually. I've also tried specifying the UUID of both my CA and radius server certificates, which I've included in the configuration profile.


My working WiFi payload is as follows:


       <dict>
            <key>PayloadIdentifier</key>
            <string>net.mydomain.subdomain.wifi.conf1</string>
            <key>PayloadUUID</key>
            <string>uniquie UUID for payload</string>
            <key>PayloadType</key>
            <string>com.apple.wifi.managed</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>SSID_STR</key>
            <string>MYWIFISSID</string>
            <key>AutoJoin</key>
            <true/>
            <key>EncryptionType</key>
            <string>WPA</string>
            <key>EAPClientConfiguration</key>
            <dict>
                <key>AcceptEAPTypes</key>
                <array>
                    <integer>13</integer>
            </dict>
            <key>PayloadCertificateUUID</key>
            <string>UUID of my client certificate</string>
            <key>ProxyType</key>
            <string>Auto</string>
            <key>ProxyPACURL</key>
            <string>http://wpad.subdomain.mydomain.net/proxy.pac</string>
            <key>ProxyPACFallbackAllowed</key>
            <true/>
        </dict>


I have attempted the following configuration, but it does not allow the devices to connect:


       <dict>
            <key>PayloadIdentifier</key>
            <string>net.mydomain.subdomain.wifi.conf1</string>
            <key>PayloadUUID</key>
            <string>uniquie UUID for payload</string>
            <key>PayloadType</key>
            <string>com.apple.wifi.managed</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>SSID_STR</key>
            <string>MYWIFISSID</string>
            <key>AutoJoin</key>
            <true/>
            <key>EncryptionType</key>
            <string>WPA</string>
            <key>EAPClientConfiguration</key>
            <dict>
                <key>AcceptEAPTypes</key>
                <array>
                    <integer>13</integer>
                </array>
                <key>TLSTrustedServerNames</key>
                <array>
                    <string>server.subdomain.mydomain.net</string>
                </array>
                <key>PayloadCertificateAnchorUUID</key>
                <array>
                    <string>UUID of CA certificate</string>
                    <string>UUID of server certificate</string>
                </array>
            </dict>
            <key>PayloadCertificateUUID</key>
            <string>UUID of my client certificate</string>
            <key>ProxyType</key>
            <string>Auto</string>
            <key>ProxyPACURL</key>
            <string>http://wpad.subdomain.mydomain.net/proxy.pac</string>
            <key>ProxyPACFallbackAllowed</key>
            <true/>
        </dict>


Any assistance would be greatly appreciated.

iPad 2, iOS 8.4.1, null

Posted on Sep 3, 2015 4:40 PM

Reply
Question marked as Best reply
User profile for user: kesawi
kesawi Author
User level: Level 1
0 points

Posted on Sep 4, 2015 8:59 PM

I discovered what my issue was. My active directory certificate server wasn't adding a common name to the server certificate, only the DNS subject alternative name. Once I was able to generate a certificate for my radius server with a matching common name both the 

TLSTrustedServerNames and PayloadCertificateAnchorUUID
keys worked. I also discovered that I only need to include the CA certificate for the radius server certificate under the 
PayloadCertificateAnchorUUID
key.

View in context
1 reply
Question marked as Best reply
User profile for user: kesawi
kesawi Author
User level: Level 1
0 points

Sep 4, 2015 8:59 PM in response to kesawi

I discovered what my issue was. My active directory certificate server wasn't adding a common name to the server certificate, only the DNS subject alternative name. Once I was able to generate a certificate for my radius server with a matching common name both the 

TLSTrustedServerNames and PayloadCertificateAnchorUUID
keys worked. I also discovered that I only need to include the CA certificate for the radius server certificate under the 
PayloadCertificateAnchorUUID
key.

Reply

Add trusted server name and certificate to configuration profile for 802.1X EAP-TLS authentication

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up