Configuring Mac OS X

Apple began to include a WPA Enterprise client with Mac OS X 10.3, meaning that no third party software is necessary for Mac OS X 10.3 clients to join and Elektron-protected Wi-Fi network.

System Requirements

To use the Mac OS X client, you must have Mac OS X 10.3 (Panther) or later and an AirPort or AirPort Extreme card. Be sure that the client is running the latest version of the AirPort software by running the Software Update application. AirPort software updates are also available at Apple’s AirPort support web site, at:

http://www.apple.com/support/

On Demand Configuration

The easiest way to configure a Mac OS X client is to perform no initial configuration at all. Simply select your Elektron-protected network’s name from the system wide AirPort menu (which is present if you have the “Show AirPort status in menu bar” option selected in the Internet Connect application) or by selecting “Other…” from the AirPort menu and typing your network’s name (if you have created a closed network). You may also select the network from the AirPort pane in the Internet Connect application.

Entering a Password

The Mac OS X client software will recognize that your are attempting to login to a WPA Enterprise network, and prompt you for a username and password:

Enter the user’s username and password. If Elektron is configured to use system accounts for user authentication (which is the default), then the username and password will be the same as those used by the user to login to the machine on which Elektron is running.

Elektron Certificate Authentication

If this is the first time the user has logged into the network, and the Elektron digital certificate has not been previously installed on the user’s computer (this optional installation is described later in the chapter), then Mac OS X displays a dialog warning that it does not recognize the server’s digital certificate:

Click the “Show Certificate” button to review and approve the Elektron digital certificate (note that these instructions apply to Mac OS X 10.4.9, if you are using another version of Mac OS X your dialogs may look slightly different):

The warning “This certificate was signed by an untrusted user” means that the certificate is not (yet) in user keychain. You’ll add the certificate to the keychain in the steps below.

Clicking “Continue” will allow the certificate to be accepted for this single connection. To accept the certificate permanently and avoid going through the process in the future, check the “Always trust these certificates” box:

Then click the “Continue” button. Because the “Always trust these certificates” option will add the certificates to you keychain, you may be prompted to enter your password to confirm:

From here, the login proceeds, and if the username and password were correctly entered, the user will be logged in and able to securely use network services.

Verifying the Certificate

Accepting the server’s digital certificate without first verifying it can be dangerous. An attacker may have lured the user into connecting to a rogue network access point and presented the user with their own, untrustworthy certificate. Fortunately, verifying the certificate is easy.

The digital certificate is verified by matching its “fingerprint”. A certificate fingerprint is a secure hash (a mathematical computation that distills a block of data into a series of digits). To begin, you will need the legitimate fingerprint of the server’s certificate. This is available in the Elektron Settings application:

1. Launch the Elektron Settings application (located in the Applications folder on the Elektron server machine)
2. Select the Server Certificate pane from the toolbar at the top of the window
3. Click the “View” button
4. The certificate’s details are shown. One of the details is the fingerprint:
5. Verify that this fingerprint matches the fingerprint shown by the Mac OS X client

Manual Configuration

To avoid having to manually verify the Elektron digital certificate, Mac OS X clients can pre-install the certificate on their machine. Mac OS X recognizes certain file extensions as files containing digital certificates, including “.pem”. When a user double-clicks one of these files in the Finder, Mac OS X will automatically launch the Keychain Access application and give your user the option of adding the certificate to a keychain of the user’s choice.

To export your Elektron certificate as a file that can be imported by Mac OS X, open the Elektron Settings application and navigate to the Server Certificate pane. Click the “Text File” button to save the file.

When the user receives the file containing the certificate, double-clicking the file (assuming that it has a correct file extension such as “.pem”) will result in the launch of the Keychain Access application and a keychain dialog being presented:

Select the “X509 Anchors” keychain (if there is more than one X509 Anchors keychain listed, select the one that follows “system” in the menu). This will place the certificate in the correct keychain for the Mac OS X WPA software to find it for verification.

Beyond configuring the certificate, Mac OS X offers users advanced options to select which authentication method is used to verify a client’s identity. These are available in the Internet Connect application on the 802.1X pane. To select an authentication method:

1. Open the Internet Connect application
2. If there is no 802.1X pane, select “New 802.1X Connection…” from the File menu
3. Select the 802.1X pane
4. Choose “Edit Configuration…” from the Configuration pop-up menu
5. Check or uncheck the protocols you wish to enable or disable. We recommend TTLS be enabled for use with Elektron.
6. Click TTLS in the list to select it and click the Configure button
7. For TTLS Inner Authentication, select PAP, click OK
8. Click OK