Mac OS X Panther 802.1x Wireless Instructions

802.1x is currently available only on the wireless network. The wired network will be moved to 802.1x at some point in the future when we have 802.1x capable switches. In the mean-time, please continue to use the existing web page authentication for wired port access.

These instructions are for Mac OS X Airport only. Because of the lack of a public wireless API in Mac OS X, developers are unable to easily write an 802.1x client that can support dynamic WEP on the various different cards that may have Mac OS X support, and because of that, Panther's 802.1x client will only work with Airport cards.

This is an issue that we feel Apple should address, so please write them and express the need for a public wireless API so that developers can more easily support 3rd party cards.

We've changed our network ID to "BC-WiFi", and it should be the case that any campus network named "BC-WiFi" is an 802.1x-enabled network. You should be able to authenticate to these networks with no configuration changes, provided you use the method recommended below for maximum usability of 802.1x.


Setup TCP/IP for DHCP

You will need administration access to do this step. (The first account created will have administrator rights)

From the desktop click on the Apple menu.

Choose 'System Preferences...':

You should see a window that looks similar to this:

Click on the 'Network' icon.

If you are not logged in as a system administrator, click on the lock at the bottom left hand corner of the window, and login.

We recommend creating a new location. To do this, click on the "Location: " drop-down menu and select "New Location..."

I'm going to call this location "BC-WiFi". You can name yours whatever you like.

You'll need to choose which interface to configure from the "Show: " drop-down.
My laptop has both Ethernet and Airport, as well as a modem. Since 802.1x is only currently available on wireless, I'll choose Airport.

Select "Airport" from the Network panel's "Show: " drop-down menu.

Under the TCP/IP Tab, Set "Configure IPv4:" to "Using DHCP" and make sure that the "DNS Servers (Optional)" is blank.

Everything else should be blank as well. Your window should look similar to this:




Client Configuration

1. Click on the Airport icon in the OS X menu bar's top right hand corner, turn Airport on if it isn't already, and select "Open Internet Connect..." at the bottom.
   
   
   
   
   
2. Go into the File menu and select "New 802.1X connection" (or use the Shift-Command-X shortcut).
   
   
   
   
3. Under the 802.1X selection, select "Edit Configurations..." from the Configuration pull-down menu.
   
   
   
   
   
4. Fill in the User Name with your E-mail username.
5. Put the password you use to register for classes in the Password field.
6. Select "BC-WiFi" from the Wireless Network drop down box.
7. Make sure that "TTLS" is the ONLY active authentication type.
8. Select TTLS and click the "Configure..." button.
   
   
   
9. Select "PAP" from the TTLS Inner Authentication pull-down menu.
10. Click OK, the TTLS config window closes.
11. Click OK in the 802.1X configuration window to save the settings and close it.
    
    
    
    
12. Click "Connect" in the Internet Connect window.
13. At this point you should be promted for a Ceriticate.
    
    
    
14. Click "Accept All" in the Server Certficate window.
    
    
    
15. The Confirm Access to Keychain window should open.
    
    
    Click "Always Allow" to finish the authentication process
    

Security Warning!

It may be the case that you will get prompted for multiple servers depending on where you are on campus. This is not a problem, it has to do with the way the authentication system is organized and how Panther handles 802.1x. However, you should pay attention to the certificates that are presented. If you feel that you are being presented with a fake certificate, do not accept it, and please let us know. (Please give us as much information as possible.)

Note: This first attempt at authentication may fail, if so, click the "Disconnect" button in the Internet Connect window. This changes back to the "Connect" button; click it to try to reconnect.

Panther Known Issues:

The following issues exist with Mac OS X Panther 10.3: Client doesn't auto-connect on boot or login. Panther (10.3) contains a bug where the operating system fails to authenticate to 802.1x enabled networks on login, including bootup. What's worse is that the Airport menu item will associate to the network, so the Airport Menu Item shows association. One thing that users should be aware of is that association does not indicate network connectivity. To ensure that an 802.1x authentication has succeeded, open Internet Connect and click on the 802.1x icon. After login, if a network is chosen from the Airport Menu Item, networks will be authenticated to automatically, which is the desired behavior upon login as well. The login bug has been reported to Apple. In the mean time, use Internet Connect if you suspect that you are not authenticated to the network. Misconfiguration can occur due to a bug in the 802.1x client. If the Panther 802.1x client is not configured properly for TTLS->PAP, or if settings are changed in a certain way it is possible to reset the TTLS inner authentication type to MSCHAPv2. This is a bug, and it has been reported to Apple. To ensure that your configuration does not get reset, please only configure 802.1x settings from the Edit Configuration sheet. If you edit any of the settings in the 802.1x authentication window, such as your username, password, or network name, and then tell Internet Connect to save your configuration, the TTLS inner type will reset to MSCHAPv2.