802.1X on iPhone
iPhone Device Configuration
This post can also be accessed from http://tinyurl.com/8021xiphone
You can download a configuration for the University of Edinburgh central-wpa wifi, eduroam and IPsec (Cisco) VPN from http://homepages.inf.ed.ac.uk/mfourman/iphone/UoE.mobileconfig
or http://tinyurl.com/uoecfg
This is signed by me with the self-signed certificate at http://homepages.inf.ed.ac.uk/mfourman/iphone/MichaelFourmanCA.cer
or http://tinyurl.com/ouosp5
You can first download and accept the certificate, and then install the profile, or just install the profile and accept the profile on a one-off ad hoc basis when asked.
When you install the profile, you'll be asked to provide your UUN and passwords for the UoE systems. For the VPN use your UUN and EASE password; for central-wpa use your UUN and EASE password; for eduroam use an extension of your UUN as follows:
Once installed you won't need to enter these again!
Let me know if this also works for iPod Touch!
If you want to check my certificate, you may need these:
SHA1 fingerprint 8F 89 CF 00 78 C8 31 B8 6A 56 93 99 13 A6 8F 2B 3B C7 2A 29 MD5 fingerprint 95 80 D6 9C C4 60 4B 86 A0 8A 6F BA 22 42 38 8D Public Key signature 52 2C 64 BC DD 9B 55 F6 A4 96 36 02 6D EE 3C DC CE B0 58 A5 C3 8C 9E 25 D3 DD 48 94 B3 3A 48 05 A7 26 47 5F C7 03 29 0A 2F B0 A8 1D 7C C4 9B 20 23 57 AA 42 06 3E 9B 94 E6 B2 9D 3D BA 33 39 FC BB 5D 4C EC 5A B7 5F B0 B2 12 1F A2 8E 93 39 C1 C0 A2 3A F8 3A 86 24 0C AC 16 A4 36 A7 B6 B1 A5 7D 55 AB 88 DE 3F 2E 19 AC B3 BC E4 21 44 14 01 91 FF BD 6F D6 18 07 4A E2 BE 8E E0 A8 57 4C F3 E9 62 5A 34 63 AE BC 84 6D DC 19 CF D8 4B 60 67 A1 D8 40 47 59 92 88 02 86 0B 89 C0 A8 79 22 57 FF E7 77 5B BF 9C 49 FF A9 43 70 92 07 10 A1 0C D6 67 73 5F 95 3F AE 5D 49 40 FC 0F 49 C1 9A 5F C4 EC 9D 7A 5D 30 2B 5F F7 2A 26 CB 4C BE 96 3D A2 0C 81 E3 44 D4 D6 70 31 D5 E1 37 C4 41 13 49 AD 5D F4 2B A8 60 D5 EC 69 57 0F AB 7F 03 A1 75 85 55 75 F3 C4 D7 2A 67 E8 66
The iPhone Configuration Utility allows you to set up and install profiles that give access to 802.1X authenticated WPA wifi. It also gives you access to the iPhone console log, so you have some chance of debugging your configurations when things go wrong.
To see the console log connect to your iPhone via USB cable, your phone appears as a DEVICE—select it and the Console tab.
A profile can include a number of sections: General, Passcode, Wi-Fi, VPN, Email, Exchange, Credentials, and Advanced. It is recommended to create a number of specific profiles for different tasks, rather than one mega profile including everthing, as a modular approach is easier to manage. In particular, if you change a profile and reinstall it, you have to enter all the passwords it requires anew, so the modular approach goes faster.
After some experimentation I now have three profiles: one for WiFi+VPN, and two more for IMAP configurations for staffmail and gmail.
The first (WiFi + VPN), includes the University certificate(s), configuration for our IPSec (Cisco) VPN, and two WiFi profiles. These are University of Edinburgh service central-wpa, and the confederated EDUcation ROAming service, eduroam which should allow me connect back to the same UoE service from almost any academic institution in Europe, Japan or Australia.
It's all a bit confusing, as the documentation for our 802.1 setup is sketchy. For example, I found that I had to install not just the self-signed University of Edinburgh CA root certificate authority, for the VPN, but also the intermediate certificate authority Cybertrust Educational CA, which is the issuer for the certificates presented by the WiFi servers, and is not in the standard Apple list of System Roots. Looking at the log helps.
To add a certificate, make sure it is in the System keychain (so not tied to your administrator account on the Mac) and is trusted. Then use Keychain Access to export it as a .cer
file and then import this .cer file into a profile, under the Credentials tab. Note that, even if using multiple modular profiles, you cannot install the same certificate twice.
For the VPN use your UUN and EASE password; for central-wpa use your UUN and WiFi password; for eduroam use
To test eduroam, I switch between the two WiFi profiles. Switching doesn't work properly: each time I have to make (3) repeated attempts, leaving and returning to the Settings App between attempts. Nevertheless, at least this behaviour is repeatable. I look forward to trying eduroam on the road.
Once you've done this, setting up the two Email profiles seems easy. Just set up the account, working from a tried and tested setup, by looking at the account settings for Mail on your Mac - except the Mac doesn't tell you which port it uses for SMTP. On my University account I use imap.staffmail.ed.ac.uk:993
for incoming, and the authenticated smtp.inf.ed.ac.uk:465
for outgoing. For Gmail it's imap.gmail.com:993
and smtp.gmail.com:587
. Note the small twist: secure SMTP on Gmail uses port 587, whereas the Informatics authenticated SMTP uses 465. It seems Google does the right thing and 465 is non-standard legacy stuff!
I can't get my Pipex mail set up this way because the Tiscali certificate presented doesn't match the server address. I can override this error if I install the setting by sync with the Mac in iTunes, or enter it manually, but if I set up a profile, it just fails—and the console log says, "an SSL error occurred".