NAME
Config::Apple::Profile::Payload::Wi-Fi::EAPClientConfiguration - Class for the EAPClientConfiguration payload key in the Wi-Fi payload.
DESCRIPTION
This class implements part of the Wi-Fi payload. Specifically, this class implements the EAPClientConfiguration
dictionary. This contains all of the EAP configuration when WPA-Enterprise or WPA2-Enterprise is being used on a Wi-Fi network.
Even though this class is not a payload in its own right, it can be treated as a payload.
INSTANCE METHODS
The following instance methods are provided by this class.
validate_key($key, $value)
Performs additional validation for certain payload keys in this class:
AcceptEAPTypes
This must be
13
,17
,18
,21
,23
,25
, or43
.TLSTrustedServerNames
Only valid host and domain names are allowed, although the asterisk (
*
) is acceptable as a wildcard.EAPSIMNumberOfRANDs
This must be either
2
or3
.TTLSInnerAuthentication
This must be
PAP
,CHAP
,MSCHAP
, orMSCHAPv2
.
All other payload keys will be checked as usual by the parent class.
See also the documentation in Config::Apple::Profile::Payload::Common.
PAYLOAD KEYS
This payload has the following keys:
AcceptEAPTypes
This is an array of numbers, where each number represents one type of EAP method to use.
At least one EAP method must be specified. The following EAP methods are supported:
13
= EAP-TLS-
As defined in RFC 5216, available at http://tools.ietf.org/html/rfc5216. The client is authenticated using an identity certificate.
17
= LEAP-
The Cisco-developed protocol. This should not be used for new environments.
18
= EAP-SIM-
As defined in RFC 4186, available at http://tools.ietf.org/html/rfc4186. The client is authenticated using their phone's SIM, using challenge-response.
21
= EAP-TTLS-
As defined in RFC 5281, available at http://tools.ietf.org/html/rfc5281. The client is authenticated using a username & password, but that authentication takes place inside of a TLS connection.
23
= EAP-AKA-
As defined in RFC 5448, available at http://tools.ietf.org/html/rfc5448. The client is authenticated using their phone's USIM, using challenge-response.
25
= PEAP43
= EAP-FAST-
As defined in RFC 4581, available at http://tools.ietf.org/html/rfc4851. The client is authenticated using a pre-shared credential, or (if none is available) some other EAP method, embedded in a TLS connection.
If multiple EAP types are listed, Apple's documentataion does not specify the order that they will be used.
Basic Authentication Parameters
UserName
Optional
A string. This is the exact username to use. If not provided, the user will be asked to enter this information during authentication.
OuterIdentity
Optional, relevent only to TTLS, PEAP, and FAST.
A string. If present, the value of this string will be used as the username outside of the encrypted tunnel; the real username will only be passed inside the encrypted tunnel.
UserPassword
Optional
A string. If a password is used during authentication, it will be taken from here. If a password is needed, but not already provided, then the user will be prompted.
OneTimePassword
Optional
A boolean. If true
, then the user will be asked for a password every time the device connects to the wireless network. If false
, the password will be saved for future connections to the wireless network.
Default is false
.
TLS Configuration
PayloadCertificateAnchorUUID
Optional, used by authentication methods that provide a TLS certificate.
An array of UUIDs. The UUIDs point to Certificate payloads that have been loaded onto the device, either as part of this profile or via an already- installed profile.
When the EAP server provides their TLS certificate, the device must confirm that the server's certificate is trusted. If this array is provided, the device will use it as the list of trusted certificates, for the purposes of certificate verification and trust.
The EAP server's certificate must pass this test, as well as the test defined in "TLSTrustedServerNames
", before the certificate will be trusted.
See Config::Apple::Profile::Payload::Certificate for more information on the certificate payload types. See also "TLSAllowTrustExceptions
".
TLSTrustedServerNames
Optional, used by authentication methods that provide a TLS certificate.
An array of strings. Each string is a domain name, with the *
wildcard allowed. When the EAP server presents its certificate, the certificate's common name will be checked against this list; if the common name does not match any of the patterns in the list, the certificate will not be trusted.
The EAP server's certificate must pass this test, as well as the test defined in "PayloadCertificateAnchorUUID
", before the certificate will be trusted.
See also "TLSAllowTrustExceptions
".
TLSAllowTrustExceptions
Optional, used by authentication methods that provide a TLS certificate.
A boolean.
Certificate trust is automatically determined using the payload keys PayloadCertificateAnchorUUID
and TLSTrustedServerNames
. If both keys are undefined, then automatic validation fails. If both keys are defined, and either test failed, the automatic validation fails. If only one key is defined, then automatic validation fails if that one test fails.
If this key is true, and automatic validation had failed, then the user will be given the option to explicitly trust the certificate, or to cancel the connection attempt. If this key is false, then the user will not be given any option; if automatic validation fails, then the connection fails.
The default value is not fixed: If either PayloadCertificateAnchorUUID
or TLSTrustedServerNames
is defined, then the default value is false
. If both PayloadCertificateAnchorUUID
and TLSTrustedServerNames
are undefined, then the default value is true
.
TLSCertificateIsRequired
Optional, relevent only to PEAP, EAP-TTLS, EAP-FAST, and EAP-TLS. Available in iOS 7.0 and later.
If true
, allows for two-factor authentication for PEAP, EAP-TTLS, and EAP-FAST. If false
, allowes for zero-factor authentication for EAP-TLS.
The default value is not fixed. If EAP-TLS is being used, then the default is true
. For all other EAP types, the default is false
.
EAP-TTLS Configruation
The key in this section is only used with EAP-TTLS.
TTLSInnerAuthentication
Optional
A string. This the the authentication method used inside the tunnel. Valid values are:
PAP
CHAP
MSCHAP
MSCHAPv2
The default is MSCHAPv2
.
EAP-FAST Configuration
The keys in this section are only used with EAP-FAST.
EAPFASTUsePAC
Optional
A boolean. If an existing PAC is present, and this key is true
, then use the existing PAC. Otherwise, the server must use a certificate to prove its identity.
Default is false
.
EAPFASTProvisionPAC
Optional
A boolean. If true
, allow PAC provisioning. This key has no effect unless EAPFASTUsePAC
is true
.
Default is false
.
EAPFASTProvisionPACAnonymously
Optional
A boolean. If true
, the PAC may be provisioned anonymously.
NOTE: Anonymous PAC provisioning has known man-in-the-middle attacks. If PAC provisioning is used, this key shoudl be set to false
.
Default is false
.
EAPSIMNumberOfRANDs
Optional
A number, either 2
or 3
. This is the number of RANDs expected for EAP-SIM.
Default is 3
.
ACKNOWLEDGEMENTS
Refer to Config::Apple::Profile for acknowledgements.
AUTHOR
A. Karl Kornel, <karl at kornel.us>
COPYRIGHT AND LICENSE
Copyright © 2014 A. Karl Kornel.
This program is free software; you can redistribute it and/or modify it under the terms of either: the GNU General Public License as published by the Free Software Foundation; or the Artistic License.
See http://dev.perl.org/licenses/ for more information.