eap-tls on apple watch?
-
So clearly nothing to do with pfsense, or even radius package on pfsense.
I use the cert manager and radius in pfsense to allow for eap-tls on my wifi network.. This has been great, and no issues getting stuff to work with it, my iphone, ipad, android pad, windows, etc..
Since there are many smart people here, and lots of people like me that do stuff not because required, or even security related, but because they can, etc.
This is just my home network, and eap-tls for my wifi is a bit over the top sure - and pretty much one of those things - hey I can run radius on pfsense, and the cert manager makes it easy to do certs and ca's.. Why not run eap-tls on one of my wifi networks. This is my trusted network, just my devices connect to it, my iphone, my ipad, my android tablet, etc.
I also have just a normal trusted network with wpa3 and just nice long complex psk, etc. But have run into something that I just can not figure out. Again not related to pfsense or radius or even certs.. I am not really a big apple guy.. I have nothing that runs macOS, so many of the normal tools are out for creating a mobileconfig to manage apple devices and their wifi.
But has anyone figured out how to use eap-tls on their apple watch? Its a series 9 running 26.1
If you have to have a macOS to do it - maybe I will break down at some point and buy a mac mini or something to play with. But come on there has to be a way to do it without a macOS - isn't there??
-
@johnpoz Appears to definitely be possible: https://developer.apple.com/documentation/devicemanagement/wifi/eapclientconfiguration-data.dictionary
I've used iMazing Profile Editor before to create valid configuration profiles (like to create a pfSense-hosted IPsec mobile warrior VPN on an iPhone, for example).
-
@tinfoilmatt yeah I have Imazing - and they added watch stuff, but only on their version that runs on mac0S. I can't get it to see my watch.
Atleast that is how I was reading it - might have to take a closer look at look at their profile editor..
-
@johnpoz It does, in fact, contain all dictionaries (including
WiFi.EAPClientConfiguration) for all supported OSes.
-
@tinfoilmatt ok how do you now get it on your watch??
I have added the certs, put in the ssid, etc. and have a mobileconfig file - how do you you get it onto the watch?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1 -
@johnpoz Great question. USB charging/data connection cable?
-
@tinfoilmatt apple watches don't have those ;) at least not newer ones.. I can't see how to get normal iamazing to see my watch.. with the iphone I just emailed it to myself and it asked if wanted to load the profile but that was just a p12 file.
-
@johnpoz iMazing (not Profile Editor) has some automagic network discovery functionality. I wonder if it could be used to import a profile to the watch.
-
@tinfoilmatt If so don't know how to do it - the imazing did add ipad and watch os, but says only for macOS
It really shouldn't be this difficult - why can it not just pull the info it needs from my iphone ;)
It sees my iphone no problem, but I am not seeing anything about my watch in it.
-
I hear you. My next watch will be a Garmin. It definitely won't be able to do EAP-TLS. But I will have much more control over what networks it connects to, and Garmin Express appears to be at least partially supported on Linux.
-
@tinfoilmatt going put this on a back burner - it just ticks me off, when it should be so simple..
I mean your watch pulls apps and all sorts of other things from the phone its paired with - why would it also just pull or could be allowed to pull a profile for the certs for connecting to eap-tls..
Maybe I will just remove the whole eap-tls option, so its not haunting me every time my phone connects to it and my watch can't ;) hehehe
-
This isn’t really related to the post, but I wanted to share something. I love Apple products — they’re my go-to when I just want things to work without hassle. I have my setup configured to auto-proxy so I can switch between a secure proxied network and a guest network for testing.
After upgrading my iMac to macOS Tahoe, though, it suddenly required a WPAD file even on the non-proxy guest network. I ended up putting a WPAD file on OpenWrt that basically tells the system “there is no proxy.” Once I did that, I could switch between the networks normally again. That way I could leave it on auto proxy. -
@johnpoz said in eap-tls on apple watch?:
Ok how do you now get it on your watch??
Can the watch reveive mails ? If so, if you can send a mail with attached 'config' files that you 'open', and iOS recognized them as config stuff, and now it get flagged under "Settings" and you'll be guided from there ?!
I know this works with importing certificats on an iPhone. -
@Gertjan first thing I tried - can't do anything with the attachment. You can see the email has an attachment, but you can't click it, can't save it.. Unless I am just stupid ;) But can't see anyway to do anything with the attachment on the watch.
-
@johnpoz
Bummer. I down
myself. -
@Gertjan heheh - thanks for trying.. Its paired to the phone, why can I not just push it from the phone like you can do with an app.. Maybe you can, and just don't know how? And my google is failing - or there just isn't a way, only thing I find is management through the apple stuff like mdm.. But I don't need something for an enterprise or even a smb..
I just want a free way to get eap-tls working on my stupid watch ;)
