Apple iPod and iPod Touch

Appendix B Configuration Profile Format 57

EAP-Fast Support

The EAP-FAST module uses the following properties in the EAPClientConfiguration

dictionary.

Thes keys are hierarchical in nature: if EAPFASTUsePAC is false, the other two properties

aren’t consulted. Similarly, if EAPFASTProvisionPAC is false,

EAPFASTProvisionPACAnonymously isn’t consulted.

If EAPFASTUsePAC is false, authentication proceeds much like PEAP or TTLS: the server

proves its identity using a certificate each time.

TLSTrustedServerCommonNames Array of string values, optional. This is the list of server certificate

common names that will be accepted. If a server presents a

certificate that is not in this list, it will not be trusted.

Used alone or in combination with TLSTrustedCertificates, the

property allows someone to carefully craft which certificates to

trust for the given network, and avoid dynamically trusted

certificates

Dynamic trust (the certificate dialogue) is disabled if this

property is specified, unless TLSAllowTrustExceptions is also

specified with the value true (see below).

TLSAllowTrustExceptions Boolean, optional. Allows/disallows a dynamic trust decision by

the user. The dynamic trust is the certificate dialogue that

appears when a certificate isn’t trusted. If this is false, the

authentication fails if the certificate isn’t already trusted. See

TLSTrustedCertificates and TLSTrustedServerCommonNames

above.

The default value of this property is true unless either

TLSTrustedCertificates or TLSTrustedServerCommonNames is

supplied, in which case the default value is false.

TTLSInnerAuthentication String, optional. This is the inner authentication used by the

TTLS module. The default value is “MSCHAPv2”.

Possible values are “PAP”, “CHAP”, “MSCHAP”, and “MSCHAPv2”.

OuterIdentity String, optional. This key is only relevant to TTLS, PEAP, and EAP-

FAST.

This allows the user to hide his/her identity. The user’s actual

name appears only inside the encrypted tunnel. For example, it

could be set to “anonymous” or “anon”, or

“anon@mycompany.net”.

It can increase security because an attacker can’t see the

authenticating user’s name in the clear.

Key Value

EAPFASTUsePAC Boolean, optional.

EAPFASTProvisionPAC Boolean, optional.

EAPFASTProvisionPACAnonymously Boolean, optional.