AppleTV WPA2 Enterprise Wireless Authentication
Since update 5.1 for the AppleTV, it has been able to support WPA/WPA2 Enterprise authentication for wireless networks, but it’s not as easy as just clicking “Connect to <network name>” and typing in your username/password. You actually have to use the Apple Configurator to push a profile to the AppleTV to get it set up. This isn’t actually terribly complex, but there are a number of moving parts that can easily gum up the works if you don’t get them set up quite so.
Note: It is a good idea to have the AppleTV software up-to-date before doing this, if it is not, the Apple Configurator will try to update the software and tends to fail, leaving you with an AppleTV in recovery mode. This can add quite a bit of extra time to the process and is best avoided.
1. You will need the Apple Configurator, it is available through the Mac App store or you can download it here. You will also need to connect your AppleTV to your computer via a micro USB cable.
2. Open the configurator, click Prepare (at the top) then click the Install Profiles button, then click the + sign at the bottom and click Create New Profile.
3. Give the profile a name, this doesn’t need to be anything specific, but a good descriptive name is always best. Then select Wi-Fi from the list of configurable options in the left pane.
4. Fill in the information including SSID, select Auto-Join, security type WPA/WPA2 Enterprise, protocols – PEAP is what you would use if you have a username/password to authenticate with, EAP-TLS is what you would use if you are going to be importing a certificate to authenticate with.
5. Enter your username/password for PEAP or import your certificate for EAP-TLS (if you are not sure where to import your certificate, jump to step 7).
6. Leave Outer Identity blank (generally).
All of that stuff is pretty straight-forward, the next part is where it can get a little tricky if you don’t do everything right.
7. Scroll down on the left side to Certificates. You will need to import BOTH the public key of the certificate that is on your RADIUS server as well as the public key of the CA that issued the certificate. If you set up a Microsoft CA in your environment for this, it is very easy. Log into your CA server (or have your network admin do this if you are not one) open MMC and add the Certificates snap-in, right click the CA certificate and click All Tasks and click export. Be sure to ONLY export the public key, you do not need the private key for this. Do the same for the certificate that is on your RADIUS server and import both of these certificates to the AppleTV in the Certificates section. If you purchased a certificate through a third-part CA such as Verisign or GoDaddy, you should have received the CA public key from them when you received your certificate and you can export the server certificate using the same method as above.
Note: Some third-party CAs (such as GoDaddy) require an intermediate certificate as well, which you should have also received. In this case, you will need to import that one as well, so you will have 3 certificates to import in this scenario, not 2.
8. Once you have imported both of these certificates you can go back up to Wi-Fi on the Apple TV and click the Trust section, make sure all of the certificates that you imported are there and select the checkboxes next to all of them.
9. Now you can click Save and then click the Prepare button at the bottom to push the profile to the AppleTV.
If you have issues getting it to connect to your network, verify the username/password that you used in the profile as well as the certificates. Sadly there is no way (that I’ve found) to view these on the AppleTV directly, you have to review/edit the profile and re-prepare the AppleTV. The error I have most commonly run into is below, and is one of the errors indicative of not having the right certificates imported with the profile.
There was a problem connecting to the network -369033213
Hope this helps, below are a few links that I used while working this out myself.
http://support.apple.com/kb/HT5438?viewlocale=en_US&locale=en_US
I’m hoping to use my Apple TV 3rd generation at college next year, but they have a WPA2 Enterprise network. If the network just has a username and password, do I not need to worry about the whole importing certificate business? Thanks for the informative article!
Hi Ben,
Thanks for the comment, unfortunately I don’t think there’s any way around importing the certificate. The authentication process (with your username and password) has to be encrypted for security and the certificate is used for that encryption. I haven’t found any way to configure the Apple TV to automatically accept and trust a certificate (like you can do with many laptops), it requires that you procure the certificate and import it manually. There is a possibility that you may not have to do this if your college purchased their certificate from a third party Certificate Authority (such as Verisign), I have not personally dealt with that scenario, but as far as I know even in that scenario you must manually import the certificate. I will stay on top of it through future versions and post updates if something changes.
There is one caveat to this statement, there are a number of MDM (mobile device management) companies out there and even some wireless companies that are releasing automated provisioning tools (such as Aruba Networks’ ClearPass), that will automatically import this certificate for you. If your college is using one of these types of solutions with their wireless network, it’s very possible that you will not have to import the certificate manually and only have to enter your username and password, though I have never used one of these solutions with an Apple TV specifically.