Configuring Mac OSX

This Howto is specifically written for OSX Leopard (10.5)  and Snow Leopard (10.6) and may vary for versions prior.

To join eduroam on OSX simply select the eduroam SSID from the Airport menubar icon.  When asked for your credentials provide credentials based on the following.  If you are from example.edu (your "realm") and your username (sometimes called NetID) is traveler then your login name is traveler [at] example.edu.  Your password is your normal password at your home institution. 

 

Security Information

If you have not already added the SSL/TLS certificate from your home institution to your keyring you will be asked to do so now.  You should then be connected to eduroam and be able to surf as normal.

Hint:  To view your home institution's RADIUS certificate and allow the Keychain to verify the certificate of your home institution before providing your username and password you can use a two-step verification process:  First provide the username anonymous [at] example.edu (where example.edu is your home institution as above), and an empty password.  If you have not stored the certificate in your keyring you will be presented your home institution's RADIUS server certificate.  If it is correct you can store then it to your Keychain (you will be asked for the computer's administrator password if you are not running as administrator).  It is recommended you do this the first time while at your home institution, and if possible verify the certificate's fingerprint with your IT staff.  This simple check is the foundation of all security within the eduroam network.

If you have previously verified and stored the certificate for your home institution this step allows the Keychain to verify the certificate before you provide your real credentials mitigating the damage from a rogue man-in-the-middle attack.  Once the certificate has been verified (and possibly stored) you will be asked for your credentials a second time.  This time provide your real credentials as above and you will be connected to the network.

Storing your credentials in an eduroam profile

To create a permanent eduroam profile for connecting to the network with the correct settings, including "inner" and "outer" identities follow the following instructions:

In Network Preferences (the bottom menu item in the Airport menu), with the Airport card selected, click "Advanced..." in the lower right-hand corner.  In the advanced settings select the 802.1X tab.

As seen below please create a new 802.1x "User Profile" and fill in your username and password as shown in the second image.  If you would prefer to be prompted for your password each time you connect to eduroam leave the password field blank.  Select the appropriate authentication methods (TTLS or PEAP generally), and select the eduroam network in the "Wireless Network" drop-down list. 

New 802.1x Profile

To configure your "outer-identity", which is what the institution you are visiting and the other eduroam servers between the visited institution and your home institution, will see do the following.  Select the PEAP or TTLS authentication method, whichever is used by your home institution (both may be allowed so follow the instructions for both in that case).  Click on "Configure..." just below the Authentication methods list.  In the dialog box that pops up entire anonymous@<your realm> (i.e. anonymous [at] example.edu in the case described at the top of this document).  If you are using TTLS then make sure to configure your "TTLS Inner Authentication" as appropriate for your home institution as well.  When you are done you should have filled out the appropriate forms similarly to the images below.

PEAP Configuration  TTLS Configuration

The next step is to configure your home institution's RADIUS server certificate.  For help with this please contact your home-institution helpdesk as they will have the information on your certificate.  If you have previously joined the eduroam network, preferably from home the first time, and accepted the certificate provided then it should be in your Keychain.  If not you may need to add it from a file per the instructions from your home institution.

Assuming the certificate is in your Keychain we will allow that certificate to be used by default for eduroam:  Click the "Configure Trust" button (bellow the Authentication Methods list).  Click the "+" in the lower-left corner of the dialog and select either "Select Certificate File" (if you have downloaded the certificate file to your hard drive previously) or "Select Certificate from Keychain" if you've previously accepted it (see the first image below).  In the prior case, navigate your hard drive to find the file, select it, and click "Ok".  In the latter case (the second image below) find your home institution's certificate in the list, select it, and click "Ok".  Your home RADIUS server should now be listed in the "Certificates" tab of the dialog (the third image below).  You may optionally list RADIUS servers to trust (the fourth image below).  If you wish to do so select the "Servers" tab, click the "+" and provide the DNS name or IP address of the RADIUS servers you wish to trust.  Please consult your home institution for help with this step.  Once you have selected certificates and/or servers click "Ok" to return to the 802.1X configuration tab.

Configure Trust - Certificates   Select CA Certificate (from Keychain)   CA Certificate Selected   Configure Trusted Server

After completing all of the steps above your preferences screen should look similar to the image below.  If so please click "Ok" to return to the Network Preferences pane.

Completed 802.1x Profile

Upon returning to the main Network Preferences pane click "Apply" in the lower-right corner of the dialog.  Then select the eduroam network from the "Network Name" drop-down list.  After connecting you should see your 802.1X authentication status below the network name.  If all went well in your configuration you should now be connected to the eduroam SSID and able to surf as usual!

Connected!

For further information please see the Apple Knowledge Base article on configuring 802.1x networks in OSX 10.5.