line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
# This is the code for Config::Apple::Profile::Payload::WiFi::EAPClientConfiguration. |
2
|
|
|
|
|
|
|
# For Copyright, please see the bottom of the file. |
3
|
|
|
|
|
|
|
|
4
|
|
|
|
|
|
|
package Config::Apple::Profile::Payload::WiFi::EAPClientConfiguration; |
5
|
|
|
|
|
|
|
|
6
|
3
|
|
|
3
|
|
1885
|
use 5.10.1; |
|
3
|
|
|
|
|
8
|
|
|
3
|
|
|
|
|
104
|
|
7
|
3
|
|
|
3
|
|
11
|
use strict; |
|
3
|
|
|
|
|
3
|
|
|
3
|
|
|
|
|
76
|
|
8
|
3
|
|
|
3
|
|
12
|
use warnings FATAL => 'all'; |
|
3
|
|
|
|
|
4
|
|
|
3
|
|
|
|
|
86
|
|
9
|
3
|
|
|
3
|
|
11
|
use base qw(Config::Apple::Profile::Payload::Common); |
|
3
|
|
|
|
|
5
|
|
|
3
|
|
|
|
|
613
|
|
10
|
|
|
|
|
|
|
|
11
|
|
|
|
|
|
|
our $VERSION = '0.87.1'; |
12
|
|
|
|
|
|
|
|
13
|
3
|
|
|
3
|
|
358
|
use Config::Apple::Profile::Config; |
|
3
|
|
|
|
|
4
|
|
|
3
|
|
|
|
|
106
|
|
14
|
3
|
|
|
3
|
|
13
|
use Config::Apple::Profile::Payload::Common; |
|
3
|
|
|
|
|
3
|
|
|
3
|
|
|
|
|
67
|
|
15
|
3
|
|
|
3
|
|
11
|
use Config::Apple::Profile::Payload::Types qw(:all); |
|
3
|
|
|
|
|
5
|
|
|
3
|
|
|
|
|
463
|
|
16
|
3
|
|
|
3
|
|
16
|
use Config::Apple::Profile::Targets qw(:all); |
|
3
|
|
|
|
|
3
|
|
|
3
|
|
|
|
|
261
|
|
17
|
3
|
|
|
3
|
|
15
|
use Readonly; |
|
3
|
|
|
|
|
4
|
|
|
3
|
|
|
|
|
1720
|
|
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
|
20
|
|
|
|
|
|
|
=encoding utf8 |
21
|
|
|
|
|
|
|
|
22
|
|
|
|
|
|
|
=head1 NAME |
23
|
|
|
|
|
|
|
|
24
|
|
|
|
|
|
|
Config::Apple::Profile::Payload::Wi-Fi::EAPClientConfiguration - Class for the |
25
|
|
|
|
|
|
|
EAPClientConfiguration payload key in the Wi-Fi payload. |
26
|
|
|
|
|
|
|
|
27
|
|
|
|
|
|
|
=head1 DESCRIPTION |
28
|
|
|
|
|
|
|
|
29
|
|
|
|
|
|
|
This class implements part of the Wi-Fi payload. Specifically, this class |
30
|
|
|
|
|
|
|
implements the C dictionary. This contains all of the |
31
|
|
|
|
|
|
|
EAP configuration when WPA-Enterprise or WPA2-Enterprise is being used on a |
32
|
|
|
|
|
|
|
Wi-Fi network. |
33
|
|
|
|
|
|
|
|
34
|
|
|
|
|
|
|
Even though this class is not a payload in its own right, it can be treated as |
35
|
|
|
|
|
|
|
a payload. |
36
|
|
|
|
|
|
|
|
37
|
|
|
|
|
|
|
|
38
|
|
|
|
|
|
|
=head1 INSTANCE METHODS |
39
|
|
|
|
|
|
|
|
40
|
|
|
|
|
|
|
The following instance methods are provided by this class. |
41
|
|
|
|
|
|
|
|
42
|
|
|
|
|
|
|
|
43
|
|
|
|
|
|
|
=head2 validate_key($key, $value) |
44
|
|
|
|
|
|
|
|
45
|
|
|
|
|
|
|
Performs additional validation for certain payload keys in this class: |
46
|
|
|
|
|
|
|
|
47
|
|
|
|
|
|
|
=over 4 |
48
|
|
|
|
|
|
|
|
49
|
|
|
|
|
|
|
=item * C |
50
|
|
|
|
|
|
|
|
51
|
|
|
|
|
|
|
This must be C<13>, C<17>, C<18>, C<21>, C<23>, C<25>, or C<43>. |
52
|
|
|
|
|
|
|
|
53
|
|
|
|
|
|
|
=item * C |
54
|
|
|
|
|
|
|
|
55
|
|
|
|
|
|
|
Only valid host and domain names are allowed, although the asterisk (C<*>) is |
56
|
|
|
|
|
|
|
acceptable as a wildcard. |
57
|
|
|
|
|
|
|
|
58
|
|
|
|
|
|
|
=item * C |
59
|
|
|
|
|
|
|
|
60
|
|
|
|
|
|
|
This must be either C<2> or C<3>. |
61
|
|
|
|
|
|
|
|
62
|
|
|
|
|
|
|
=item * C |
63
|
|
|
|
|
|
|
|
64
|
|
|
|
|
|
|
This must be C, C, C, or C. |
65
|
|
|
|
|
|
|
|
66
|
|
|
|
|
|
|
=back |
67
|
|
|
|
|
|
|
|
68
|
|
|
|
|
|
|
All other payload keys will be checked as usual by the parent class. |
69
|
|
|
|
|
|
|
|
70
|
|
|
|
|
|
|
See also the documentation in L. |
71
|
|
|
|
|
|
|
|
72
|
|
|
|
|
|
|
=cut |
73
|
|
|
|
|
|
|
|
74
|
|
|
|
|
|
|
# $TLSTrustedServerNames_regex matches hostnames, but allows * as a wildcard |
75
|
|
|
|
|
|
|
# character. It is based on $RE{net}{domain}{-keep}{-nospace} from |
76
|
|
|
|
|
|
|
# Regexp::Common by Damien Conway and Abigail, but rewritten because that |
77
|
|
|
|
|
|
|
# module's code is not available under the GPL2, which we are. |
78
|
|
|
|
|
|
|
Readonly my $TLSTrustedServerNames_hostname => qr/ |
79
|
|
|
|
|
|
|
[A-Z0-9*] # First character can be a letter or a digit |
80
|
|
|
|
|
|
|
(?: # We don't have to have more than 1 character, but... |
81
|
|
|
|
|
|
|
[-A-Z0-9*]{0,253} # Middle characters allow hyphens |
82
|
|
|
|
|
|
|
[A-Z0-9*] # End character is a letter or a digit |
83
|
|
|
|
|
|
|
)? |
84
|
|
|
|
|
|
|
/ix; |
85
|
|
|
|
|
|
|
Readonly my $TLSTrustedServerNames_regex => qr/ |
86
|
|
|
|
|
|
|
^( # Match the whole string; capture the match |
87
|
|
|
|
|
|
|
$TLSTrustedServerNames_hostname # We need at least 1 hostname |
88
|
|
|
|
|
|
|
(?: |
89
|
|
|
|
|
|
|
\. # Domains require a dot before subsequent |
90
|
|
|
|
|
|
|
$TLSTrustedServerNames_hostname # hostnames, but… |
91
|
|
|
|
|
|
|
)* # We don't have to have a domain name. |
92
|
|
|
|
|
|
|
)$ |
93
|
|
|
|
|
|
|
/isx; |
94
|
|
|
|
|
|
|
|
95
|
|
|
|
|
|
|
sub validate_key { |
96
|
41
|
|
|
41
|
1
|
53
|
my ($self, $key, $value) = @_; |
97
|
|
|
|
|
|
|
|
98
|
|
|
|
|
|
|
# Let's start by letting the parent do the generic validation. |
99
|
41
|
|
|
|
|
162
|
my $parent_value = $self->SUPER::validate_key($key, $value); |
100
|
41
|
100
|
|
|
|
244
|
return $parent_value if !defined $parent_value; |
101
|
|
|
|
|
|
|
|
102
|
|
|
|
|
|
|
# Let's check over some of our keys |
103
|
|
|
|
|
|
|
# Only allow EAP-type values for AcceptEAPTypes |
104
|
39
|
100
|
|
|
|
97
|
if ($key eq 'AcceptEAPTypes') { |
|
|
100
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
|
50
|
|
|
|
|
|
105
|
18
|
100
|
100
|
|
|
193
|
unless ( ($value == 13) |
|
|
|
100
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
|
100
|
|
|
|
|
106
|
|
|
|
|
|
|
|| ($value == 17) |
107
|
|
|
|
|
|
|
|| ($value == 18) |
108
|
|
|
|
|
|
|
|| ($value == 21) |
109
|
|
|
|
|
|
|
|| ($value == 23) |
110
|
|
|
|
|
|
|
|| ($value == 25) |
111
|
|
|
|
|
|
|
|| ($value == 43) |
112
|
|
|
|
|
|
|
) { |
113
|
|
|
|
|
|
|
## no critic (ProhibitExplicitReturnUndef) |
114
|
11
|
|
|
|
|
33
|
return undef; |
115
|
|
|
|
|
|
|
## use critic |
116
|
|
|
|
|
|
|
} |
117
|
|
|
|
|
|
|
} |
118
|
|
|
|
|
|
|
|
119
|
|
|
|
|
|
|
# TLSTrustedServerNames allows hostnames and domains, but also allows * as |
120
|
|
|
|
|
|
|
# a wildcard character. |
121
|
|
|
|
|
|
|
elsif ($key eq 'TLSTrustedServerNames') { |
122
|
10
|
100
|
|
|
|
31
|
if ($value =~ $TLSTrustedServerNames_regex) { |
123
|
5
|
|
|
|
|
63
|
return $1; |
124
|
|
|
|
|
|
|
} |
125
|
|
|
|
|
|
|
else { |
126
|
|
|
|
|
|
|
## no critic (ProhibitExplicitReturnUndef) |
127
|
5
|
|
|
|
|
56
|
return undef; |
128
|
|
|
|
|
|
|
## use critic |
129
|
|
|
|
|
|
|
} |
130
|
|
|
|
|
|
|
} |
131
|
|
|
|
|
|
|
|
132
|
|
|
|
|
|
|
# Only allow certain values for TTLSInnerAuthentication |
133
|
|
|
|
|
|
|
elsif ($key eq 'TTLSInnerAuthentication') { |
134
|
7
|
100
|
100
|
|
|
48
|
unless ( ($value eq 'PAP') |
|
|
|
100
|
|
|
|
|
|
|
|
100
|
|
|
|
|
135
|
|
|
|
|
|
|
|| ($value eq 'CHAP') |
136
|
|
|
|
|
|
|
|| ($value eq 'MSCHAP') |
137
|
|
|
|
|
|
|
|| ($value eq 'MSCHAPv2') |
138
|
|
|
|
|
|
|
) { |
139
|
|
|
|
|
|
|
## no critic (ProhibitExplicitReturnUndef) |
140
|
3
|
|
|
|
|
9
|
return undef; |
141
|
|
|
|
|
|
|
## use critic |
142
|
|
|
|
|
|
|
} |
143
|
|
|
|
|
|
|
} |
144
|
|
|
|
|
|
|
|
145
|
|
|
|
|
|
|
# EAPSIMNumberOfRANDs must be 2 or 3 |
146
|
|
|
|
|
|
|
elsif ($key eq 'EAPSIMNumberOfRANDs') { |
147
|
|
|
|
|
|
|
## no critic (ProhibitExplicitReturnUndef) |
148
|
4
|
100
|
100
|
|
|
22
|
return undef unless (($value == 2) || ($value == 3)); |
149
|
|
|
|
|
|
|
## use critic |
150
|
|
|
|
|
|
|
} |
151
|
|
|
|
|
|
|
|
152
|
|
|
|
|
|
|
# At this point, we've checked all of our special keys and we're good! |
153
|
13
|
|
|
|
|
33
|
return $value; |
154
|
|
|
|
|
|
|
} |
155
|
|
|
|
|
|
|
|
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
=head1 PAYLOAD KEYS |
158
|
|
|
|
|
|
|
|
159
|
|
|
|
|
|
|
This payload has the following keys: |
160
|
|
|
|
|
|
|
|
161
|
|
|
|
|
|
|
|
162
|
|
|
|
|
|
|
=head2 C |
163
|
|
|
|
|
|
|
|
164
|
|
|
|
|
|
|
This is an I, where each number represents one type of EAP |
165
|
|
|
|
|
|
|
method to use. |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
At least one EAP method must be specified. The following EAP methods are |
168
|
|
|
|
|
|
|
supported: |
169
|
|
|
|
|
|
|
|
170
|
|
|
|
|
|
|
=over 4 |
171
|
|
|
|
|
|
|
|
172
|
|
|
|
|
|
|
=item C<13> = EAP-TLS |
173
|
|
|
|
|
|
|
|
174
|
|
|
|
|
|
|
As defined in RFC 5216, available at L. |
175
|
|
|
|
|
|
|
The client is authenticated using an identity certificate. |
176
|
|
|
|
|
|
|
|
177
|
|
|
|
|
|
|
=item C<17> = LEAP |
178
|
|
|
|
|
|
|
|
179
|
|
|
|
|
|
|
The Cisco-developed protocol. This should not be used for new environments. |
180
|
|
|
|
|
|
|
|
181
|
|
|
|
|
|
|
=item C<18> = EAP-SIM |
182
|
|
|
|
|
|
|
|
183
|
|
|
|
|
|
|
As defined in RFC 4186, available at L. |
184
|
|
|
|
|
|
|
The client is authenticated using their phone's SIM, using challenge-response. |
185
|
|
|
|
|
|
|
|
186
|
|
|
|
|
|
|
=item C<21> = EAP-TTLS |
187
|
|
|
|
|
|
|
|
188
|
|
|
|
|
|
|
As defined in RFC 5281, available at L. |
189
|
|
|
|
|
|
|
The client is authenticated using a username & password, but that authentication |
190
|
|
|
|
|
|
|
takes place inside of a TLS connection. |
191
|
|
|
|
|
|
|
|
192
|
|
|
|
|
|
|
=item C<23> = EAP-AKA |
193
|
|
|
|
|
|
|
|
194
|
|
|
|
|
|
|
As defined in RFC 5448, available at L. |
195
|
|
|
|
|
|
|
The client is authenticated using their phone's USIM, using challenge-response. |
196
|
|
|
|
|
|
|
|
197
|
|
|
|
|
|
|
=item C<25> = PEAP |
198
|
|
|
|
|
|
|
|
199
|
|
|
|
|
|
|
=item C<43> = EAP-FAST |
200
|
|
|
|
|
|
|
|
201
|
|
|
|
|
|
|
As defined in RFC 4581, available at L. |
202
|
|
|
|
|
|
|
The client is authenticated using a pre-shared credential, or (if none is |
203
|
|
|
|
|
|
|
available) some other EAP method, embedded in a TLS connection. |
204
|
|
|
|
|
|
|
|
205
|
|
|
|
|
|
|
=back |
206
|
|
|
|
|
|
|
|
207
|
|
|
|
|
|
|
If multiple EAP types are listed, Apple's documentataion does not specify the |
208
|
|
|
|
|
|
|
order that they will be used. |
209
|
|
|
|
|
|
|
|
210
|
|
|
|
|
|
|
|
211
|
|
|
|
|
|
|
=head2 Basic Authentication Parameters |
212
|
|
|
|
|
|
|
|
213
|
|
|
|
|
|
|
=head3 C |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
I |
216
|
|
|
|
|
|
|
|
217
|
|
|
|
|
|
|
A I. This is the exact username to use. If not provided, the user will |
218
|
|
|
|
|
|
|
be asked to enter this information during authentication. |
219
|
|
|
|
|
|
|
|
220
|
|
|
|
|
|
|
|
221
|
|
|
|
|
|
|
=head3 C |
222
|
|
|
|
|
|
|
|
223
|
|
|
|
|
|
|
I, relevent only to TTLS, PEAP, and FAST. |
224
|
|
|
|
|
|
|
|
225
|
|
|
|
|
|
|
A I. If present, the value of this string will be used as the username |
226
|
|
|
|
|
|
|
outside of the encrypted tunnel; the real username will only be passed inside |
227
|
|
|
|
|
|
|
the encrypted tunnel. |
228
|
|
|
|
|
|
|
|
229
|
|
|
|
|
|
|
|
230
|
|
|
|
|
|
|
=head3 C |
231
|
|
|
|
|
|
|
|
232
|
|
|
|
|
|
|
I |
233
|
|
|
|
|
|
|
|
234
|
|
|
|
|
|
|
A I. If a password is used during authentication, it will be taken from |
235
|
|
|
|
|
|
|
here. If a password is needed, but not already provided, then the user will |
236
|
|
|
|
|
|
|
be prompted. |
237
|
|
|
|
|
|
|
|
238
|
|
|
|
|
|
|
|
239
|
|
|
|
|
|
|
=head3 C |
240
|
|
|
|
|
|
|
|
241
|
|
|
|
|
|
|
I |
242
|
|
|
|
|
|
|
|
243
|
|
|
|
|
|
|
A I. If C, then the user will be asked for a password every time |
244
|
|
|
|
|
|
|
the device connects to the wireless network. If C, the password will be |
245
|
|
|
|
|
|
|
saved for future connections to the wireless network. |
246
|
|
|
|
|
|
|
|
247
|
|
|
|
|
|
|
Default is C. |
248
|
|
|
|
|
|
|
|
249
|
|
|
|
|
|
|
|
250
|
|
|
|
|
|
|
=head2 TLS Configuration |
251
|
|
|
|
|
|
|
|
252
|
|
|
|
|
|
|
=head3 C |
253
|
|
|
|
|
|
|
|
254
|
|
|
|
|
|
|
I, used by authentication methods that provide a TLS certificate. |
255
|
|
|
|
|
|
|
|
256
|
|
|
|
|
|
|
An I. The UUIDs point to I payloads that have |
257
|
|
|
|
|
|
|
been loaded onto the device, either as part of this profile or via an already- |
258
|
|
|
|
|
|
|
installed profile. |
259
|
|
|
|
|
|
|
|
260
|
|
|
|
|
|
|
When the EAP server provides their TLS certificate, the |
261
|
|
|
|
|
|
|
device must confirm that the server's certificate is trusted. If this array is |
262
|
|
|
|
|
|
|
provided, the device will use it as the list of trusted certificates, for the |
263
|
|
|
|
|
|
|
purposes of certificate verification and trust. |
264
|
|
|
|
|
|
|
|
265
|
|
|
|
|
|
|
The EAP server's certificate must pass this test, as well as the test defined in |
266
|
|
|
|
|
|
|
L>, before the certificate will be trusted. |
267
|
|
|
|
|
|
|
|
268
|
|
|
|
|
|
|
See L for more information on the |
269
|
|
|
|
|
|
|
certificate payload types. See also L>. |
270
|
|
|
|
|
|
|
|
271
|
|
|
|
|
|
|
|
272
|
|
|
|
|
|
|
=head3 C |
273
|
|
|
|
|
|
|
|
274
|
|
|
|
|
|
|
I, used by authentication methods that provide a TLS certificate. |
275
|
|
|
|
|
|
|
|
276
|
|
|
|
|
|
|
An I. Each string is a domain name, with the C<*> wildcard |
277
|
|
|
|
|
|
|
allowed. When the EAP server presents its certificate, the certificate's |
278
|
|
|
|
|
|
|
common name will be checked against this list; if the common name does not |
279
|
|
|
|
|
|
|
match any of the patterns in the list, the certificate will not be trusted. |
280
|
|
|
|
|
|
|
|
281
|
|
|
|
|
|
|
The EAP server's certificate must pass this test, as well as the test defined in |
282
|
|
|
|
|
|
|
L>, before the certificate will be trusted. |
283
|
|
|
|
|
|
|
|
284
|
|
|
|
|
|
|
See also L>. |
285
|
|
|
|
|
|
|
|
286
|
|
|
|
|
|
|
|
287
|
|
|
|
|
|
|
=head3 C |
288
|
|
|
|
|
|
|
|
289
|
|
|
|
|
|
|
I, used by authentication methods that provide a TLS certificate. |
290
|
|
|
|
|
|
|
|
291
|
|
|
|
|
|
|
A I. |
292
|
|
|
|
|
|
|
|
293
|
|
|
|
|
|
|
Certificate trust is automatically determined using the payload keys |
294
|
|
|
|
|
|
|
C and C. If both keys are |
295
|
|
|
|
|
|
|
undefined, then automatic validation fails. If both keys are defined, and |
296
|
|
|
|
|
|
|
either test failed, the automatic validation fails. If only one key is defined, |
297
|
|
|
|
|
|
|
then automatic validation fails if that one test fails. |
298
|
|
|
|
|
|
|
|
299
|
|
|
|
|
|
|
If this key is true, and automatic validation had failed, then the user will be |
300
|
|
|
|
|
|
|
given the option to explicitly trust the certificate, or to cancel the |
301
|
|
|
|
|
|
|
connection attempt. If this key is false, then the user will not be given any |
302
|
|
|
|
|
|
|
option; if automatic validation fails, then the connection fails. |
303
|
|
|
|
|
|
|
|
304
|
|
|
|
|
|
|
The default value is not fixed: If either C or |
305
|
|
|
|
|
|
|
C is defined, then the default value is C. If |
306
|
|
|
|
|
|
|
both C and C are undefined, |
307
|
|
|
|
|
|
|
then the default value is C. |
308
|
|
|
|
|
|
|
|
309
|
|
|
|
|
|
|
|
310
|
|
|
|
|
|
|
=head3 C |
311
|
|
|
|
|
|
|
|
312
|
|
|
|
|
|
|
I, relevent only to PEAP, EAP-TTLS, EAP-FAST, and EAP-TLS. |
313
|
|
|
|
|
|
|
I. |
314
|
|
|
|
|
|
|
|
315
|
|
|
|
|
|
|
If C, allows for two-factor authentication for PEAP, EAP-TTLS, and |
316
|
|
|
|
|
|
|
EAP-FAST. If C, allowes for zero-factor authentication for EAP-TLS. |
317
|
|
|
|
|
|
|
|
318
|
|
|
|
|
|
|
The default value is not fixed. If EAP-TLS is being used, then the default is |
319
|
|
|
|
|
|
|
C. For all other EAP types, the default is C. |
320
|
|
|
|
|
|
|
|
321
|
|
|
|
|
|
|
|
322
|
|
|
|
|
|
|
=head2 EAP-TTLS Configruation |
323
|
|
|
|
|
|
|
|
324
|
|
|
|
|
|
|
The key in this section is only used with EAP-TTLS. |
325
|
|
|
|
|
|
|
|
326
|
|
|
|
|
|
|
|
327
|
|
|
|
|
|
|
=head3 C |
328
|
|
|
|
|
|
|
|
329
|
|
|
|
|
|
|
I |
330
|
|
|
|
|
|
|
|
331
|
|
|
|
|
|
|
A I. This the the authentication method used inside the tunnel. Valid |
332
|
|
|
|
|
|
|
values are: |
333
|
|
|
|
|
|
|
|
334
|
|
|
|
|
|
|
=over 4 |
335
|
|
|
|
|
|
|
|
336
|
|
|
|
|
|
|
=item C |
337
|
|
|
|
|
|
|
|
338
|
|
|
|
|
|
|
=item C |
339
|
|
|
|
|
|
|
|
340
|
|
|
|
|
|
|
=item C |
341
|
|
|
|
|
|
|
|
342
|
|
|
|
|
|
|
=item C |
343
|
|
|
|
|
|
|
|
344
|
|
|
|
|
|
|
=back |
345
|
|
|
|
|
|
|
|
346
|
|
|
|
|
|
|
The default is C. |
347
|
|
|
|
|
|
|
|
348
|
|
|
|
|
|
|
|
349
|
|
|
|
|
|
|
=head2 EAP-FAST Configuration |
350
|
|
|
|
|
|
|
|
351
|
|
|
|
|
|
|
The keys in this section are only used with EAP-FAST. |
352
|
|
|
|
|
|
|
|
353
|
|
|
|
|
|
|
|
354
|
|
|
|
|
|
|
=head3 C |
355
|
|
|
|
|
|
|
|
356
|
|
|
|
|
|
|
I |
357
|
|
|
|
|
|
|
|
358
|
|
|
|
|
|
|
A I. If an existing PAC is present, and this key is C, then |
359
|
|
|
|
|
|
|
use the existing PAC. Otherwise, the server must use a certificate to prove |
360
|
|
|
|
|
|
|
its identity. |
361
|
|
|
|
|
|
|
|
362
|
|
|
|
|
|
|
Default is C. |
363
|
|
|
|
|
|
|
|
364
|
|
|
|
|
|
|
|
365
|
|
|
|
|
|
|
=head3 C |
366
|
|
|
|
|
|
|
|
367
|
|
|
|
|
|
|
I |
368
|
|
|
|
|
|
|
|
369
|
|
|
|
|
|
|
A I. If C, allow PAC provisioning. This key has no effect |
370
|
|
|
|
|
|
|
unless C is C. |
371
|
|
|
|
|
|
|
|
372
|
|
|
|
|
|
|
Default is C. |
373
|
|
|
|
|
|
|
|
374
|
|
|
|
|
|
|
|
375
|
|
|
|
|
|
|
=head3 C |
376
|
|
|
|
|
|
|
|
377
|
|
|
|
|
|
|
I |
378
|
|
|
|
|
|
|
|
379
|
|
|
|
|
|
|
A I. If C, the PAC may be provisioned anonymously. |
380
|
|
|
|
|
|
|
|
381
|
|
|
|
|
|
|
B Anonymous PAC provisioning has known man-in-the-middle attacks. If |
382
|
|
|
|
|
|
|
PAC provisioning is used, this key shoudl be set to C. |
383
|
|
|
|
|
|
|
|
384
|
|
|
|
|
|
|
Default is C. |
385
|
|
|
|
|
|
|
|
386
|
|
|
|
|
|
|
|
387
|
|
|
|
|
|
|
=head3 C |
388
|
|
|
|
|
|
|
|
389
|
|
|
|
|
|
|
I |
390
|
|
|
|
|
|
|
|
391
|
|
|
|
|
|
|
A I, either C<2> or C<3>. This is the number of RANDs expected for |
392
|
|
|
|
|
|
|
EAP-SIM. |
393
|
|
|
|
|
|
|
|
394
|
|
|
|
|
|
|
Default is C<3>. |
395
|
|
|
|
|
|
|
|
396
|
|
|
|
|
|
|
=cut |
397
|
|
|
|
|
|
|
|
398
|
|
|
|
|
|
|
Readonly our %payloadKeys => ( |
399
|
|
|
|
|
|
|
# We are NOT using the common keys. We are just defining our own. |
400
|
|
|
|
|
|
|
# Since we are not a separate payload, we will not be defining basic keys. |
401
|
|
|
|
|
|
|
|
402
|
|
|
|
|
|
|
# Basic configuration |
403
|
|
|
|
|
|
|
'AcceptEAPTypes' => { |
404
|
|
|
|
|
|
|
type => $ProfileArray, |
405
|
|
|
|
|
|
|
subtype => $ProfileNumber, |
406
|
|
|
|
|
|
|
description => 'The list of EAP types to accept.', |
407
|
|
|
|
|
|
|
targets => { |
408
|
|
|
|
|
|
|
$TargetIOS => '5.0', |
409
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
410
|
|
|
|
|
|
|
}, |
411
|
|
|
|
|
|
|
}, |
412
|
|
|
|
|
|
|
|
413
|
|
|
|
|
|
|
# Authentication information |
414
|
|
|
|
|
|
|
'UserName' => { |
415
|
|
|
|
|
|
|
type => $ProfileString, |
416
|
|
|
|
|
|
|
description => 'The exact user name. If not present, the user is ' |
417
|
|
|
|
|
|
|
. 'prompted when they authenticate.', |
418
|
|
|
|
|
|
|
optional => 1, |
419
|
|
|
|
|
|
|
targets => { |
420
|
|
|
|
|
|
|
$TargetIOS => '5.0', |
421
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
422
|
|
|
|
|
|
|
}, |
423
|
|
|
|
|
|
|
}, |
424
|
|
|
|
|
|
|
'OuterIdentity' => { |
425
|
|
|
|
|
|
|
type => $ProfileString, |
426
|
|
|
|
|
|
|
description => 'The outer identity to use in TTLS, PEAP, and EAP-FAST.', |
427
|
|
|
|
|
|
|
optional => 1, |
428
|
|
|
|
|
|
|
targets => { |
429
|
|
|
|
|
|
|
$TargetIOS => '5.0', |
430
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
431
|
|
|
|
|
|
|
}, |
432
|
|
|
|
|
|
|
}, |
433
|
|
|
|
|
|
|
'UserPassword' => { |
434
|
|
|
|
|
|
|
type => $ProfileString, |
435
|
|
|
|
|
|
|
description => 'The password. If not present, the user is prompted ' |
436
|
|
|
|
|
|
|
. 'when they authenticate.', |
437
|
|
|
|
|
|
|
optional => 1, |
438
|
|
|
|
|
|
|
private => 1, |
439
|
|
|
|
|
|
|
targets => { |
440
|
|
|
|
|
|
|
$TargetIOS => '5.0', |
441
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
442
|
|
|
|
|
|
|
}, |
443
|
|
|
|
|
|
|
}, |
444
|
|
|
|
|
|
|
'OneTimePassword' => { |
445
|
|
|
|
|
|
|
type => $ProfileBool, |
446
|
|
|
|
|
|
|
description => 'Prompt for password whenever connecting to the ' |
447
|
|
|
|
|
|
|
. 'wireless network. Default is false.', |
448
|
|
|
|
|
|
|
optional => 1, |
449
|
|
|
|
|
|
|
targets => { |
450
|
|
|
|
|
|
|
$TargetIOS => '5.0', |
451
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
452
|
|
|
|
|
|
|
}, |
453
|
|
|
|
|
|
|
}, |
454
|
|
|
|
|
|
|
|
455
|
|
|
|
|
|
|
# TLS configuration |
456
|
|
|
|
|
|
|
'PayloadCertificateAnchorUUID' => { |
457
|
|
|
|
|
|
|
type => $ProfileArray, |
458
|
|
|
|
|
|
|
subtype => $ProfileUUID, |
459
|
|
|
|
|
|
|
description => 'A list of server certificate UUIDs to trust.', |
460
|
|
|
|
|
|
|
optional => 1, |
461
|
|
|
|
|
|
|
targets => { |
462
|
|
|
|
|
|
|
$TargetIOS => '5.0', |
463
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
464
|
|
|
|
|
|
|
}, |
465
|
|
|
|
|
|
|
}, |
466
|
|
|
|
|
|
|
'TLSTrustedServerNames' => { |
467
|
|
|
|
|
|
|
type => $ProfileArray, |
468
|
|
|
|
|
|
|
subtype => $ProfileString, |
469
|
|
|
|
|
|
|
description => 'A list of common names to explicitly trust.', |
470
|
|
|
|
|
|
|
optional => 1, |
471
|
|
|
|
|
|
|
targets => { |
472
|
|
|
|
|
|
|
$TargetIOS => '5.0', |
473
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
474
|
|
|
|
|
|
|
}, |
475
|
|
|
|
|
|
|
}, |
476
|
|
|
|
|
|
|
'TLSAllowTrustExceptions' => { |
477
|
|
|
|
|
|
|
type => $ProfileBool, |
478
|
|
|
|
|
|
|
description => 'Allow the user to choose to trust the server cert.', |
479
|
|
|
|
|
|
|
optional => 1, |
480
|
|
|
|
|
|
|
targets => { |
481
|
|
|
|
|
|
|
$TargetIOS => '5.0', |
482
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
483
|
|
|
|
|
|
|
}, |
484
|
|
|
|
|
|
|
}, |
485
|
|
|
|
|
|
|
'TLSCertificateIsRequired' => { |
486
|
|
|
|
|
|
|
type => $ProfileBool, |
487
|
|
|
|
|
|
|
description => 'Varies depending on the EAP type used.', |
488
|
|
|
|
|
|
|
optional => 1, |
489
|
|
|
|
|
|
|
targets => { |
490
|
|
|
|
|
|
|
$TargetIOS => '7.0', |
491
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
492
|
|
|
|
|
|
|
}, |
493
|
|
|
|
|
|
|
}, |
494
|
|
|
|
|
|
|
|
495
|
|
|
|
|
|
|
# TTLS Configuration |
496
|
|
|
|
|
|
|
'TTLSInnerAuthentication' => { |
497
|
|
|
|
|
|
|
type => $ProfileString, |
498
|
|
|
|
|
|
|
description => 'The inner authentication method to use with TTLS.', |
499
|
|
|
|
|
|
|
optional => 1, |
500
|
|
|
|
|
|
|
targets => { |
501
|
|
|
|
|
|
|
$TargetIOS => '5.0', |
502
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
503
|
|
|
|
|
|
|
}, |
504
|
|
|
|
|
|
|
}, |
505
|
|
|
|
|
|
|
|
506
|
|
|
|
|
|
|
# EAP-FAST Configuration |
507
|
|
|
|
|
|
|
'EAPFASTUsePAC' => { |
508
|
|
|
|
|
|
|
type => $ProfileBool, |
509
|
|
|
|
|
|
|
description => 'If trust, use a PAC if available. Default is false.', |
510
|
|
|
|
|
|
|
optional => 1, |
511
|
|
|
|
|
|
|
targets => { |
512
|
|
|
|
|
|
|
$TargetIOS => '5.0', |
513
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
514
|
|
|
|
|
|
|
}, |
515
|
|
|
|
|
|
|
}, |
516
|
|
|
|
|
|
|
'EAPFASTProvisionPAC' => { |
517
|
|
|
|
|
|
|
type => $ProfileBool, |
518
|
|
|
|
|
|
|
description => 'Allow PAC provisioning.', |
519
|
|
|
|
|
|
|
optional => 1, |
520
|
|
|
|
|
|
|
targets => { |
521
|
|
|
|
|
|
|
$TargetIOS => '5.0', |
522
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
523
|
|
|
|
|
|
|
}, |
524
|
|
|
|
|
|
|
}, |
525
|
|
|
|
|
|
|
'EAPFASTProvisionPACAnonymously' => { |
526
|
|
|
|
|
|
|
type => $ProfileBool, |
527
|
|
|
|
|
|
|
description => '[UNSAFE] Provision PAC anonymously. Defaults to false.', |
528
|
|
|
|
|
|
|
optional => 1, |
529
|
|
|
|
|
|
|
targets => { |
530
|
|
|
|
|
|
|
$TargetIOS => '5.0', |
531
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
532
|
|
|
|
|
|
|
}, |
533
|
|
|
|
|
|
|
}, |
534
|
|
|
|
|
|
|
'EAPSIMNumberOfRANDs' => { |
535
|
|
|
|
|
|
|
type => $ProfileNumber, |
536
|
|
|
|
|
|
|
description => 'The number of expected RANDs for EAP-SIM. Default is 3.', |
537
|
|
|
|
|
|
|
optional => 1, |
538
|
|
|
|
|
|
|
targets => { |
539
|
|
|
|
|
|
|
$TargetIOS => '5.0', |
540
|
|
|
|
|
|
|
$TargetMACOSX => '10.7', |
541
|
|
|
|
|
|
|
}, |
542
|
|
|
|
|
|
|
}, |
543
|
|
|
|
|
|
|
); # End of %payloadKeys |
544
|
|
|
|
|
|
|
|
545
|
|
|
|
|
|
|
|
546
|
|
|
|
|
|
|
=head1 ACKNOWLEDGEMENTS |
547
|
|
|
|
|
|
|
|
548
|
|
|
|
|
|
|
Refer to L for acknowledgements. |
549
|
|
|
|
|
|
|
|
550
|
|
|
|
|
|
|
|
551
|
|
|
|
|
|
|
=head1 AUTHOR |
552
|
|
|
|
|
|
|
|
553
|
|
|
|
|
|
|
A. Karl Kornel, C<< >> |
554
|
|
|
|
|
|
|
|
555
|
|
|
|
|
|
|
|
556
|
|
|
|
|
|
|
=head1 COPYRIGHT AND LICENSE |
557
|
|
|
|
|
|
|
|
558
|
|
|
|
|
|
|
Copyright © 2014 A. Karl Kornel. |
559
|
|
|
|
|
|
|
|
560
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify it |
561
|
|
|
|
|
|
|
under the terms of either: the GNU General Public License as published |
562
|
|
|
|
|
|
|
by the Free Software Foundation; or the Artistic License. |
563
|
|
|
|
|
|
|
|
564
|
|
|
|
|
|
|
See L for more information. |
565
|
|
|
|
|
|
|
|
566
|
|
|
|
|
|
|
=cut |
567
|
|
|
|
|
|
|
|
568
|
|
|
|
|
|
|
1; |