Overview
Additional configuration is necessary if opting to use EAP-TTLS/PAP (username+password) authentication for Apple devices, which can be achieved by creating a profile using a free Apple Configurator tool.
Note: trying to input Username/Password at the login prompt by clicking on the SSID will not work (Apple devices use PEAP-MSCHAPv2 or EAP-TTLS/MSCHAPv2, which uses password hashing algorithm that is not supported by any cloud based Identity Provider).
Creating a WiFi Profile
Step 1 – Download Mist Certificate
In order for the client to trust the Mist Access Assurance server cert, it needs to be included in the WiFi profile.
Navigate to Organization > Access > Certificates
Click on View Mist Certificate, then Copy the payload.
Save it locally as a file with .crt extension, e.g. mist-cert.crt
Note: if you are using your own custom Server Certificate, download your Certificate Authority cert at this stage instead of a Mist Certificate.
Step 2 – Create a New Profile
Open your Apple Configurator tool, click on New Profile:
Step 3 – Import Server CA Certificate
Go to Certificates tab, click Configure, and select your Mist Certificate you downloaded in Step 1.
Step 4 – Configure Wi-Fi connection settings
Then go to Wi-Fi tab and click Configure:
Configure Wi-Fi Settings as indicated below, making sure to provide your SSID name in the first field:
Then click on Trust tab on the same screen and select the certificate, this will tell the clients to trust Mist Auth server certificate:
Step 5 – Save and Sign the profile
Save and/or Sign the profile (to Sign a profile, you will need to have an apple trusted certificate. This step is only required for production use).
Now you can distribute it to your Apple clients.
