...
- Copy the .ca file generated during certificate generation onto the computer. '@@@1'
- Select the network's SSID from the list in Network Manager.
- When asked, enter the following information, then press connect:
CA certificate: Browse and select the .ca file
Identity: the username
Password: the password
Inner authentication: MSCHAPv2 (not "MSCHAPv2 (not EAP)" )
Leave all other fields as they are
...
On Mac OS and iPhone supplicants, when connecting to the SSID for the first time, the server certificate's details are presented to the user and the user is asked if they want to trust the server. In case the identity presented by the RADIUS server changes at any point, the user will be prompted with a message, not containing any warning, sadly, that looks identical to the one displayed when connecting for the first time, where a user is extremely likely to press Trust once again. On Mac OS, it is also possible to copy the .ca file and install it, avoiding the prompt on first connect, on iPhone, on the iPhone this was tested on, this this did not seem to have any effect. It seems to be possible, but greatly complicated (involving installing a software from the App Store, and using it to create a configuration profile which then needs to be saved to a file, copied and imported onto the supplicant device) to configure the supplicant to not send the real user name in the unencrypted outer tunnel.
...