Apple Configurator

Configure EAP-TLS on Foxpass

Please follow the EAP-TLS initial setup guide to create client CA, server CA and SCEP endpoint if not configured already.

Create SCEP profile

• Download Apple Configurator Application.
• Click on SCEP in left menu

• Verify if the SCEP endpoint is created and configured correctly.
• URL - Obtain the URL from SCEP page. It will be mentioned below 'Unique Endpoint' heading on the SCEP page.
• Name - leave blank

🚧

Remember to always use "CN" in capitalized form.

• Subject - CN=<user's email address>
• Subject Alternative Name Value (optional) - RFC822: <user's email address>.
• Challenge - Copy the Challenge password from the SCEP page.
• Key Size: Note the key size should be 4096 bits.
• Fingerprint - Click 'Create from Certificate' and select the client CA certificate you downloaded earlier.

4. Add section for Server CA

• Go back to Apple Configurator 2. Click Certificates on the left side of your profile.

• Click Configure. Select 'Server CA' from the 'Downloads' folder. You will start seeing 'Server CA' as specified in the screenshot below:

5. Now, select WiFi option on the left side.

• By default, enterprise settings are selected to Protocols.
• SSID - Your network's SSID Note: this must match EXACTLY, including capital letters.
• Security Type - WPA/WPA 2 Enterprise or WPA2/WPA3 Enterprise depending on what you have configured in your Access Point.
• Protocols - TLS
• Identity Certificate - Select SCEP from the dropdown.

• Now select 'Trust' in 'Enterprise Settings'. Select the Server CA.

6. Save and test

   Go to your MAC System Settings, search Profiles > Install, view or remove configuration profiles. Click on the the profile you just configured in Apple Configurator 2. A dialog box will open to ask if you want to install the profile. Click 'Install'.

The profile will be installed and you can see a SCEP certificate under 'Client Certificates' on the EAP-TLS page.

If all well, you will be able to connect to your SSID.