First Impressions: 802.1X on iPhone 2.0 FIrmware
So I managed to resist the urge to buy the 3G iPhone but I was happy to try out the new 2.0 firmware, primarily for the Exchange support and of course, 802.1X. I was curious to see how many options the UI would expose to the user to configure supplicant settings. What EAP types would be supported? Would it care about inner and outer tunnel identity? The answer on the options front, in typical Apple style, is zero. That’s it. No options at all. It just works. Now how it works and how efficient it operates is an open question. I haven’t managed to break out a sniffer yet to see what it tries to do. I just tried a simple test, connecting to my 802.1X network at the office. We use PEAP/MSCHAPv2 against our Ignition Server going to an AD back-end. Previously I had to connect my iPhone to the guest network and use MAC authentication bypass to get basic Internet connectivity; not particularly secure or easy to use. I had to fire up the browser each time to get the session with the captive portal which wasn’t hard but was an extra step I’d rather avoid. Here’s what I did today:
1. Went into settings, WiFi, and chose the SSID of our WPA2 Enterprise deployment
2. I hunted around for options related to 802.1X and found none. Instead, all I was asked for is a username and a password.
3. I entered that information and clicked join and waited.
4. I waited
5. I waited some more…
6. Eventually I hit cancel, not sure what had happened
7. I then connected again, reentered my password, and was immediately taken to a certificate screen. It presented me with our server-side certificate, let me examine it if I wanted to, and then prompted me to accept it.
8. I clicked accept and then was on the network.
I’m eager to see what sort of experiences others are having with the 2.0 firmware and 802.1X. On the one hand, I’m incredibly excited that (glitch in the middle aside) I got on without needing to know anything about the nuances of 802.1X supplicant configuration. On the other hand I wonder if the lack of options will render certain types of 802.1X deployments non-functional.
Update: 7/11/08 - 8:38 PM
Wi-Fi Networking News has a post about Apple’s Enterprise phone management application that builds 802.1X packages for iPhone. It looks like Apple stuck all the options there for corporate IT managers looking to have tighter control over the 802.1X configs. From the post:
The utility serves two purposes: creating configuration profiles, including for multiple Wi-Fi networks and VPN connections; and allowing iPhones in an enterprise to run internally developed iPhone software. The Wi-Fi profiles allow you to create WEP or WPA/WPA2 802.1X configurations, and include support for choosing allowed EAP messaging types, configuring authentication elements associated with a given EAP type, and adding server certificates and names for better authentication control.
Once created, these profiles can be distributed throughout a company via email or as a direct download to the iPhone via an intranet Web server. Apple chose not to encrypt them, which means that certain information that’s not secured—such as the shared secret for certain VPN connections—could be disclosed to someone who had access to the profile or could download it off the local network.
Technorati Tags: 802.1X
July 12th, 2008 at 1:22 pm
Can that even be that the iPhone (or iPod touch for that matter) just tests all the different configurations that are possible (that must be quite a few – and on my MacBook Pro logging in always takes some seconds) and takes whatever gets it in? Is that possible?
My university uses 802.1X with TTLS and PAP (no idea what that means, those are just the checkboxes I had to click in the Mac OS X settings), and I would hate it to discover that I cannot log into the campus Wi-Fi. I’m still not sure wether I should buy an iPod touch. Not being able to use the campus Wi-Fi would be a huge deal breaker.
July 12th, 2008 at 11:29 pm
If you look at the Wi-Fi post I referenced in my update you can see that TTLS is clearly supported: http://wifinetnews.com/archives/008391.html
I’d be amazed if TTLS/PAP didn’t work as it is probably the most common EAP type after PEAP/MS-CHAPv2. To the first part of your question, I’m not sure how it goes about it. I haven’t personally tested it against TTLS/PAP nor have I run a trace yet. Anyone else have success with TTLS/PAP on an iPhone or iPod Touch?
July 13th, 2008 at 8:39 am
Why am I not surprised that all the iPhone Configuration Utilities require OS X 10.5. I don’t have it as I am still running 10.4. Consequently, I can’t build the configuration profiles needed to logon to my company’s wireless access points. We use WEP 802.1x with PEAP. I can do it with my PPC Powerbook running 10.4 but not my iPhone. I guess they’ll force me to spend the money on 10.5 after all.
July 13th, 2008 at 10:34 am
Hi Bob,
What happens when you try to connect? We’re using PEAP at work as well and I got right on. Are you using passwords checked against MS Active Directory?
Sean
July 15th, 2008 at 10:04 am
The university that I work and attend classes at has a wireless network that appears to support either WPA or WPA2 and TKIP or AES. They also claim that they use EAP-PEAP and MSCHAPv2 for authentication. I attempted to follow the same steps that you outlined half-way through this entry and I never get to step 7. Instead, my step 7 looks more like this.
7. Go back to step 1 and try again.
Do you recall how long you waited during steps 3, 4, and 5? I’ve tried letting it go for five minutes each time and, after three attempts, I gave up. I’m using an older iPhone with the 2.0 software update installed. I have confirmed elsewhere that the credentials that I am providing are correct. Links to the information that I am referencing are provided below. Any ideas you might have would be very helpful. Thanks in advance!
https://www.net.usf.edu/wireless/USF-GOLD/
https://www.net.usf.edu/wireless/USF-GOLD/wpa.html
https://www.net.usf.edu/wireless/USF-GOLD/instructions.php
July 16th, 2008 at 2:47 pm
I figured it out with the help of the university’s excellent network guys. The trick appears to be forgetting the other unencrypted but MAC address-filtered wireless network at the university and restarting the phone. I also tried connecting from a different part of campus, so maybe I was just having problems with that particular AP. After doing all of this, I was immediately asked to accept a certificate. The first attempt resulted in another bout of endless waiting, but the second attempt immediately connected me to the network. Between getting third-party applications without jailbreaking, Exchange and MobileMe push, and enterprise wireless connectivity, this 2.0 software update has been fantastic.
July 16th, 2008 at 5:36 pm
I had to use the configuration utility to specify my Trusted Server Certificate Name under the Trust tab under WiFi. After that the endless “joining…” problem was resolved.
July 17th, 2008 at 10:48 am
Hi Sarah,
Did you get the “joining” messages more than once? I’m curious if your particular 802.1X network configuration caused something different to happen on your phone. It seems like from the comments here, forgetting the non 802.1X networks in your vicinity and connecting twice via 802.1X is what fixes the problem. Since accepting the cert once, I’ve not been prompted again.
July 24th, 2008 at 10:20 am
I have been waiting for this update a very long time, especially for the 802.1x . But my problem was not fixed, they still do not have the 802.1x wep spec I was looking for