Mac OSX 802.1x TLS Setup

Mac OS X Panther (10.3)

1. Support for 802.1x was added to the Airport Software relatively recently. Versions before 3.3.x may not work. Versions of Airport shipping with MacOS 10.3.3 and later have worked well.
2. Make sure your certificate is installed in your login keychain in the Keychain Access app found in your Utilities folder. In some of the early versions of Keychain Access it had to be the only certificate in your Keychain. In current versions (10.3.3+) it is possible to select which certifcate (and key) is used.
3. From your Airport menubar icon, choose Open Internet Connect...
4. In Internet Connect, from the File menu, select New 802.1x Connection... Or, if you already have an 802.1x connection configured, click on the 802.1x icon at the top of the Internet Connect window.
5. From the Configuration pop-up menu, choose Edit Configurations...
6. Create a new 802.1x configuration if necessary. Choose "Airport" as its network port, type anything you want for the username and password (yes, really!), and type in "Authorized_User" (with exactly that capitalization) as the name of the wireless network to join. Uncheck all authentication types except "TLS." You might even have to drag "TLS" to the top of the list.
7. Click the OK button.
8. Click the Connect button. Be sure that your Airport connection is turned "On" before you click Connect, because the EAP client apparently won't turn it on itself, giving you an error message instead.

How to install certificates in Keychain

Double-click on a *.p12 file. This will automatically open the Mac OS X's Keychain program, and ask you if you want to add the certificate from the file to your Keychain:

Choose your login keychain (it will either be named login, or your Mac OS X username) as the keychain to add it to, then click OK. Now you will see a list of stuff in that keychain, and you should see the new certificate in there:

...along with a possibly cryptically-named private key that goes with that certificate:

You're done! Now, you have to make sure that it's the only certificate (of your own) in your keychain, because Mac OS X won't ask you which one you want to use when authenticating to something. Here's one way you can do that:

If there's not already a keychain drawer shown to the right of the Keychain window, click the "Show Keychains" button at the upper right of the window. (If it's already shown, that button will say "Hide Keychains" instead. If you don't know what a "drawer" is, click this button anyhow and the window will change.)

Create a new keychain: choose New Keychain... from the File menu. You'll see the following window:

Name it something like "Temporary Keychain" and choose where to save it: on your Desktop works.

It'll ask you for a password to protect this keychain: choose something strong. You'll be putting your private keys in here.

Now, drag your previous certificate, along with the matching private key, into the new keychain. Repeat for any other certificates you already have. Note that you only need to erase you own certificates (those with matching private keys), not other people's.

Now, choose that keychain in the right-hand Keychains drawer, and choose Delete Keychain from the File menu. You'll see the following question:

You want to keep the file so you can reinstall those certificates and private keys later, so choose Delete References.

Later, when you want to restore those certificates, double-click on the keychain file you created, and drag everything from it back into your login keychain. Then delete the temporary keychain, and this time really delete references and files.

How to set up an EAP-TLS connection

First, make sure you only have one certificate in your Keychain (see above).

Now, go to the wireless icon on the right side of your menubar and choose Open Internet Connect... You'll see a window something like this:

If you see an "802.1x" icon in this window, click on it. If not, go to the File menu and choose New 802.1x Connection... The window will change to this:

From the Configuration pop-up menu in this window, choose Edit Configurations.... Now you'll get this dialog box:

In the field for "Wireless Network" enter the "Authorized_User" SSID. Your username and password can be basically anything since your certificate is used instead. Click OK. Now you're back to the old Internet Connect window. Make sure your Airport card is already on, then click Connect.

If this is your first time connecting, you'll be asked to accept the Greenpass RADIUS Server's certificate. You should accept it. You'll also be asked if "eapolclient" can use your private key; let it use it.

If everything goes well, you'll see this status message at the bottom left of the Internet Connect window: