/ 
Config-Apple-Profile-v0.87.1-TRIAL
River stage zero No dependents
/ Config::Apple::Profile::Payload::WiFi::EAPClientConfiguration

NAME

Config::Apple::Profile::Payload::Wi-Fi::EAPClientConfiguration - Class for the EAPClientConfiguration payload key in the Wi-Fi payload.

DESCRIPTION

This class implements part of the Wi-Fi payload. Specifically, this class implements the EAPClientConfiguration dictionary. This contains all of the EAP configuration when WPA-Enterprise or WPA2-Enterprise is being used on a Wi-Fi network.

Even though this class is not a payload in its own right, it can be treated as a payload.

INSTANCE METHODS

The following instance methods are provided by this class.

validate_key($key, $value)

Performs additional validation for certain payload keys in this class:

  • AcceptEAPTypes

    This must be 13, 17, 18, 21, 23, 25, or 43.

  • TLSTrustedServerNames

    Only valid host and domain names are allowed, although the asterisk (*) is acceptable as a wildcard.

  • EAPSIMNumberOfRANDs

    This must be either 2 or 3.

  • TTLSInnerAuthentication

    This must be PAP, CHAP, MSCHAP, or MSCHAPv2.

All other payload keys will be checked as usual by the parent class.

See also the documentation in Config::Apple::Profile::Payload::Common.

PAYLOAD KEYS

This payload has the following keys:

AcceptEAPTypes

This is an array of numbers, where each number represents one type of EAP method to use.

At least one EAP method must be specified. The following EAP methods are supported:

13 = EAP-TLS

As defined in RFC 5216, available at http://tools.ietf.org/html/rfc5216. The client is authenticated using an identity certificate.

17 = LEAP

The Cisco-developed protocol. This should not be used for new environments.

18 = EAP-SIM

As defined in RFC 4186, available at http://tools.ietf.org/html/rfc4186. The client is authenticated using their phone's SIM, using challenge-response.

21 = EAP-TTLS

As defined in RFC 5281, available at http://tools.ietf.org/html/rfc5281. The client is authenticated using a username & password, but that authentication takes place inside of a TLS connection.

23 = EAP-AKA

As defined in RFC 5448, available at http://tools.ietf.org/html/rfc5448. The client is authenticated using their phone's USIM, using challenge-response.

25 = PEAP
43 = EAP-FAST

As defined in RFC 4581, available at http://tools.ietf.org/html/rfc4851. The client is authenticated using a pre-shared credential, or (if none is available) some other EAP method, embedded in a TLS connection.

If multiple EAP types are listed, Apple's documentataion does not specify the order that they will be used.

Basic Authentication Parameters

UserName

Optional

A string. This is the exact username to use. If not provided, the user will be asked to enter this information during authentication.

OuterIdentity

Optional, relevent only to TTLS, PEAP, and FAST.

A string. If present, the value of this string will be used as the username outside of the encrypted tunnel; the real username will only be passed inside the encrypted tunnel.

UserPassword

Optional

A string. If a password is used during authentication, it will be taken from here. If a password is needed, but not already provided, then the user will be prompted.

OneTimePassword

Optional

A boolean. If true, then the user will be asked for a password every time the device connects to the wireless network. If false, the password will be saved for future connections to the wireless network.

Default is false.

TLS Configuration

PayloadCertificateAnchorUUID

Optional, used by authentication methods that provide a TLS certificate.

An array of UUIDs. The UUIDs point to Certificate payloads that have been loaded onto the device, either as part of this profile or via an already- installed profile.

When the EAP server provides their TLS certificate, the device must confirm that the server's certificate is trusted. If this array is provided, the device will use it as the list of trusted certificates, for the purposes of certificate verification and trust.

The EAP server's certificate must pass this test, as well as the test defined in "TLSTrustedServerNames", before the certificate will be trusted.

See Config::Apple::Profile::Payload::Certificate for more information on the certificate payload types. See also "TLSAllowTrustExceptions".

TLSTrustedServerNames

Optional, used by authentication methods that provide a TLS certificate.

An array of strings. Each string is a domain name, with the * wildcard allowed. When the EAP server presents its certificate, the certificate's common name will be checked against this list; if the common name does not match any of the patterns in the list, the certificate will not be trusted.

The EAP server's certificate must pass this test, as well as the test defined in "PayloadCertificateAnchorUUID", before the certificate will be trusted.

See also "TLSAllowTrustExceptions".

TLSAllowTrustExceptions

Optional, used by authentication methods that provide a TLS certificate.

A boolean.

Certificate trust is automatically determined using the payload keys PayloadCertificateAnchorUUID and TLSTrustedServerNames. If both keys are undefined, then automatic validation fails. If both keys are defined, and either test failed, the automatic validation fails. If only one key is defined, then automatic validation fails if that one test fails.

If this key is true, and automatic validation had failed, then the user will be given the option to explicitly trust the certificate, or to cancel the connection attempt. If this key is false, then the user will not be given any option; if automatic validation fails, then the connection fails.

The default value is not fixed: If either PayloadCertificateAnchorUUID or TLSTrustedServerNames is defined, then the default value is false. If both PayloadCertificateAnchorUUID and TLSTrustedServerNames are undefined, then the default value is true.

TLSCertificateIsRequired

Optional, relevent only to PEAP, EAP-TTLS, EAP-FAST, and EAP-TLS. Available in iOS 7.0 and later.

If true, allows for two-factor authentication for PEAP, EAP-TTLS, and EAP-FAST. If false, allowes for zero-factor authentication for EAP-TLS.

The default value is not fixed. If EAP-TLS is being used, then the default is true. For all other EAP types, the default is false.

EAP-TTLS Configruation

The key in this section is only used with EAP-TTLS.

TTLSInnerAuthentication

Optional

A string. This the the authentication method used inside the tunnel. Valid values are:

PAP
CHAP
MSCHAP
MSCHAPv2

The default is MSCHAPv2.

EAP-FAST Configuration

The keys in this section are only used with EAP-FAST.

EAPFASTUsePAC

Optional

A boolean. If an existing PAC is present, and this key is true, then use the existing PAC. Otherwise, the server must use a certificate to prove its identity.

Default is false.

EAPFASTProvisionPAC

Optional

A boolean. If true, allow PAC provisioning. This key has no effect unless EAPFASTUsePAC is true.

Default is false.

EAPFASTProvisionPACAnonymously

Optional

A boolean. If true, the PAC may be provisioned anonymously.

NOTE: Anonymous PAC provisioning has known man-in-the-middle attacks. If PAC provisioning is used, this key shoudl be set to false.

Default is false.

EAPSIMNumberOfRANDs

Optional

A number, either 2 or 3. This is the number of RANDs expected for EAP-SIM.

Default is 3.

ACKNOWLEDGEMENTS

Refer to Config::Apple::Profile for acknowledgements.

AUTHOR

A. Karl Kornel, <karl at kornel.us>

COPYRIGHT AND LICENSE

Copyright © 2014 A. Karl Kornel.

This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.

See http://dev.perl.org/licenses/ for more information.