Yep, another blogpost with mass appeal, I’m sure.
I have set up freeradius for allocating VLANs over Wi-Fi. The gist is that, rather than needing to broadcast a specific SSID per VLAN, I can broadcast one SSID, and clients get send a username and password to my freeradius server, which uses its config to determine what VLAN gets allocated to them.
It works well.
Except for the Apple TV, which seemingly keeps forgetting the username and password, and so keeps dropping off the network. This is a pain.
I have experimented with setting the username and password via a .mobileconfig profile, to see if that is more resilient. And, so far, it seems to work.
Creating the .mobileconfig profile
If you have a macOS device, you can create a profile using
Apple Configurator 2. But the profile itself is just an xml document, and it’s an easy one to create anyway. (I have not bothered to sign the profile, but you could do this too, with or without the Apple software, if you wanted.)
The .mobileconfig profile looks like this:
<?xml version="1.0" encoding="UTF-8"?> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>AutoJoin</key> <true/> <key>CaptiveBypass</key> <false/> <key>DisableAssociationMACRandomization</key> <false/> <key>EAPClientConfiguration</key> <dict> <key>AcceptEAPTypes</key> <array> <integer>25</integer> </array> <key>TLSMaximumVersion</key> <string>1.2</string> <key>TLSMinimumVersion</key> <string>1.0</string> <key>UserName</key> <string>$USERNAME</string> <key>UserPassword</key> <string>$PASSWORD</string> </dict> <key>EncryptionType</key> <string>WPA</string> <key>HIDDEN_NETWORK</key> <false/> <key>IsHotspot</key> <false/> <key>PayloadDescription</key> <string>Configures Wi-Fi settings</string> <key>PayloadDisplayName</key> <string>Wi-Fi</string> <key>PayloadIdentifier</key> <string>com.apple.wifi.managed.3AE4E23F-A7D0-4E7A-A752-BF1CF873B11A</string> <key>PayloadType</key> <string>com.apple.wifi.managed</string> <key>PayloadUUID</key> <string>3AE4E23F-A7D0-4E7A-A752-BF1CF873B11A</string> <key>PayloadVersion</key> <integer>1</integer> <key>ProxyType</key> <string>None</string> <key>SSID_STR</key> <string>$SSID</string> </dict> </array> <key>PayloadDisplayName</key> <string>Apple TV freeradius</string> <key>PayloadIdentifier</key> <string>Pro.65F8BCAF-E130-4810-A56B-380707652527</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>3F04F935-C234-47E9-9902-682F3CC7B6C4</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
You’ll want to replace
$PASSWORD with the credentials you’ve configured in freeradius. And you’ll want to replace
$SSID with the SSID of your Wi-Fi network.
Then, just save it with a .mobileconfig extension.
(The profile will look different if you need to pass through a certificate for verification, or verify the freeradius server’s certicate. I was content to do this via the Apple TV’s UI.)
Getting the .mobileconfig profile onto the Apple TV
You cannot - as far as I know - get a .mobileconfig profile onto an Apple TV via AirDrop. Sad news for macOS/iOS users, as this is an easy way of transferring profiles.
You might be able to side-load the profile via USB, and that would be a neater solution for configuring a new Apple TV, but I have not tried this.
I had an Apple TV which was already connected to a Wi-Fi network, which gave the Apple TV access to a web server.
I uploaded the .mobileconfig file to that web server.
Then, on the Apple TV, I went to Settings / General / Privacy, and scrolled down to “Share Apple TV Analytics”. However, rather than clicking on it, I pressed the “Play/Pause” button.
This brings up a hidden menu, called “Profiles”.
Click “Add Profile”, and enter the url at which the Apple TV can access your .mobileconfig profile.
It will download the profile, and you will be prompted to go through the installation.
I then deleted my existing Wi-Fi network, and selected the SSID of the network which supports freeradius VLAN allocation.
And that was it.
A slight oddity was that the network information pane did not show IP address, gateway, DNS servers etc - it just said “N/A”. So I spent a few minutes trying to work out what I had done wrong. But when I checked my FireBrick’s DHCP allocation table, the Apple TV had been allocated an IP addresses, and, looking at my freeradius server’s logs, all looked good there too. So I tested the Apple TV and it was able to access network resources, even with the “N/A” showing. After a reboot, it re-connected correctly, and showed the expected IP address etc. correctly.
Using this in conjunction with a DoH profile
If you want to try a DoH server on your Apple TV, that works too.