Bookmark this site!


802.1X on iPhone

iPhone Device Configuration

This post can also be accessed from

You can download a configuration for the University of Edinburgh central-wpa wifi, eduroam and IPsec (Cisco) VPN from

This is signed by me with the self-signed certificate at

You can first download and accept the certificate, and then install the profile, or just install the profile and accept the profile on a one-off ad hoc basis when asked.

When you install the profile, you'll be asked to provide your UUN and passwords for the UoE systems. For the VPN use your UUN and EASE password; for central-wpa use your UUN and EASE password; for eduroam use an extension of your UUN as follows: and your EASE password.

Once installed you won't need to enter these again!

Let me know if this also works for iPod Touch!

If you want to check my certificate, you may need these:

SHA1 fingerprint 8F 89 CF 00 78 C8 31 B8 6A 56 93 99 
                               13 A6 8F 2B 3B C7 2A 29
MD5 fingerprint  95 80 D6 9C C4 60 4B 86 A0 8A  6F BA 
                              22 42 38 8D
Public Key signature 52 2C 64 BC DD 9B 55 F6 A4 96 36 02 
6D EE 3C DC CE B0 58 A5 C3 8C 9E 25 D3 DD 48 94 B3 3A 
48 05 A7 26 47 5F C7 03 29 0A 2F B0 A8 1D 7C C4 9B 20 
23 57 AA 42 06 3E 9B 94 E6 B2 9D 3D BA 33 39 FC BB 5D 
4C EC 5A B7 5F B0 B2 12 1F A2 8E 93 39 C1 C0 A2 3A F8 
3A 86 24 0C AC 16 A4 36 A7 B6 B1 A5 7D 55 AB 88 DE 
3F 2E 19 AC B3 BC E4 21 44 14 01 91 FF BD 6F D6 18 07 
4A E2 BE 8E E0 A8 57 4C F3 E9 62 5A 34 63 AE BC 84 6D 
DC 19 CF D8 4B 60 67 A1 D8 40 47 59 92 88 02 86 0B 89 
C0 A8 79 22 57 FF E7 77 5B BF 9C 49 FF A9 43 70 92 07 
10 A1 0C D6 67 73 5F 95 3F AE 5D 49 40 FC 0F 49 C1 9A 
5F C4 EC 9D 7A 5D 30 2B 5F F7 2A 26 CB 4C BE 96 3D A2 
0C 81 E3 44 D4 D6 70 31 D5 E1 37 C4 41 13 49 AD 5D F4 
2B A8 60 D5 EC 69 57 0F AB 7F 03 A1 75 85 55 75 F3 C4 
D7 2A 67 E8 66

The iPhone Configuration Utility allows you to set up and install profiles that give access to 802.1X authenticated WPA wifi. It also gives you access to the iPhone console log, so you have some chance of debugging your configurations when things go wrong.

To see the console log connect to your iPhone via USB cable, your phone appears as a DEVICE—select it and the Console tab.

A profile can include a number of sections: General, Passcode, Wi-Fi, VPN, Email, Exchange, Credentials, and Advanced. It is recommended to create a number of specific profiles for different tasks, rather than one mega profile including everthing, as a modular approach is easier to manage. In particular, if you change a profile and reinstall it, you have to enter all the passwords it requires anew, so the modular approach goes faster.

After some experimentation I now have three profiles: one for WiFi+VPN, and two more for IMAP configurations for staffmail and gmail.

The first (WiFi + VPN), includes the University certificate(s), configuration for our IPSec (Cisco) VPN, and two WiFi profiles. These are University of Edinburgh service central-wpa, and the confederated EDUcation ROAming service, eduroam which should allow me connect back to the same UoE service from almost any academic institution in Europe, Japan or Australia.

It's all a bit confusing, as the documentation for our 802.1 setup is sketchy. For example, I found that I had to install not just the self-signed University of Edinburgh CA root certificate authority, for the VPN, but also the intermediate certificate authority Cybertrust Educational CA, which is the issuer for the certificates presented by the WiFi servers, and is not in the standard Apple list of System Roots. Looking at the log helps.

To add a certificate, make sure it is in the System keychain (so not tied to your administrator account on the Mac) and is trusted. Then use Keychain Access to export it as a .cer file and then import this .cer file into a profile, under the Credentials tab. Note that, even if using multiple modular profiles, you cannot install the same certificate twice.

For the VPN use your UUN and EASE password; for central-wpa use your UUN and WiFi password; for eduroam use and your EASE password.

To test eduroam, I switch between the two WiFi profiles. Switching doesn't work properly: each time I have to make (3) repeated attempts, leaving and returning to the Settings App between attempts. Nevertheless, at least this behaviour is repeatable. I look forward to trying eduroam on the road.

Once you've done this, setting up the two Email profiles seems easy. Just set up the account, working from a tried and tested setup, by looking at the account settings for Mail on your Mac - except the Mac doesn't tell you which port it uses for SMTP. On my University account I use for incoming, and the authenticated for outgoing. For Gmail it's and Note the small twist: secure SMTP on Gmail uses port 587, whereas the Informatics authenticated SMTP uses 465. It seems Google does the right thing and 465 is non-standard legacy stuff!

I can't get my Pipex mail set up this way because the Tiscali certificate presented doesn't match the server address. I can override this error if I install the setting by sync with the Mac in iTunes, or enter it manually, but if I set up a profile, it just fails—and the console log says, "an SSL error occurred".

No comments: