User Guide
Appendix B Configuration Profile Format 83
EAP-Fast Support
The EAP-FAST module uses the following properties in the EAPClientConfiguration
dictionary.
These keys are hierarchical in nature: if EAPFASTUsePAC is false, the other two
properties aren’t consulted. Similarly, if EAPFASTProvisionPAC is false,
EAPFASTProvisionPACAnonymously isn’t consulted.
If EAPFASTUsePAC is false, authentication proceeds much like PEAP or TTLS: the server
proves its identity using a certificate each time.
If EAPFASTUsePAC is true, then an existing PAC is used if it’s present. The only way to
get a PAC on the device currently is to allow PAC provisioning. So, you need to enable
EAPFASTProvisionPAC, and if desired, EAPFASTProvisionPACAnonymously.
EAPFASTProvisionPACAnonymously has a security weakness: it doesn’t authenticate the
server so connections are vulnerable to a man-in-the-middle attack.
Certificates
As with VPN configurations, it’s possible to associate a certificate identity configuration
with a Wi-Fi configuration. This is useful when defining credentials for a secure
enterprise network. To associate an identity, specify its payload UUID via the
“PayloadCertificateUUID” key.
TTLSInnerAuthentication String, optional. This is the inner authentication used by the
TTLS module. The default value is “MSCHAPv2”.
Possible values are “PAP”, “CHAP”, “MSCHAP”, and “MSCHAPv2”.
OuterIdentity String, optional. This key is only relevant to TTLS, PEAP, and EAP-
FAST.
This allows the user to hide his or her identity. The user’s actual
name appears only inside the encrypted tunnel. For example,
it could be set to “anonymous” or “anon”, or
“anon@mycompany.net”.
It can increase security because an attacker can’t see the
authenticating user’s name in the clear.
Key Value
Key Value
EAPFASTUsePAC Boolean, optional.
EAPFASTProvisionPAC Boolean, optional.
EAPFASTProvisionPACAnonymously Boolean, optional.
Key Value
PayloadCertificateUUID String. UUID of the certificate payload to use for the identity
credential.