WiFi EAP authentication and iOS device setup options?
I finally managed to set up very basic EAP-PEAP and EAP-TTLS MSCHAP2 authentication in a Freeradius + Mikrotik MT network (users and their passwords in cleartext in text file), with a Let's Encrypt certificate in the eap{tls-config tls-common {}} section). Connecting from a Linux NTB and Android (v9 and v11) phone is without problems for both TTLS and PEAP, in the WiFi network settings I can choose a whole range of parameters (EAP method, phase 2 authentication method, certificate selection, CRL usage, domain, identity and anonymous identity,...). And now I tried connecting an iOS (v15) tablet - and this device only requires a username and password. Then it asks if the user trusts Let's Encrypt certificate (which it says is untrusted), and then it connects to the network without any problems. Please excuse the possibly stupid questions, but I have no experience with Apple iOS devices at all - so I would like to ask for an explanation - is this normal with iOS? : - that you can't set basically any WiFi network parameters (after connecting, you can set automatic connection to the network, and randomization of the MAC address - but that's probably all) - when I used a certificate generated by the resources in raddb/certs/ instead of the Lets Encrypt certificate, both Linux and Android clients connected to the network, but the iOS tablet ended up with the error aka "Cannot connect to this network." - is that why? - why does marks the Let's Encrypt certificate as untrustworthy? -- Thanks again, Franta Hanzlik
On Oct 3, 2025, at 8:36 AM, Franta Hanzlík via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I finally managed to set up very basic EAP-PEAP and EAP-TTLS MSCHAP2 authentication in a Freeradius + Mikrotik MT network (users and their passwords in cleartext in text file), with a Let's Encrypt certificate in the eap{tls-config tls-common {}} section).
That's good.
Connecting from a Linux NTB and Android (v9 and v11) phone is without problems for both TTLS and PEAP, in the WiFi network settings I can choose a whole range of parameters (EAP method, phase 2 authentication method, certificate selection, CRL usage, domain, identity and anonymous identity,...).
That works, but isn't quite as good as it could be, for reasons I'll outline below. i.e. you've done nothing wrong, but the Android / Linux workflow should be done better on their end.
And now I tried connecting an iOS (v15) tablet - and this device only requires a username and password. Then it asks if the user trusts Let's Encrypt certificate (which it says is untrusted), and then it connects to the network without any problems.
Yup.
Please excuse the possibly stupid questions, but I have no experience with Apple iOS devices at all - so I would like to ask for an explanation - is this normal with iOS? :
Yes.
- that you can't set basically any WiFi network parameters (after connecting, you can set automatic connection to the network, and randomization of the MAC address - but that's probably all)
You can, but you need to do that via a ".mobileconfig" file for iOS and OSX.
- when I used a certificate generated by the resources in raddb/certs/ instead of the Lets Encrypt certificate, both Linux and Android clients connected to the network, but the iOS tablet ended up with the error aka "Cannot connect to this network." - is that why?
No. It's because iOS has no idea where that certificate comes from. It doesn't know about the certificate authority, and therefore doesn't trust the certificate. If you use a .mobileconfig, you can put the CA certificate and the server certificate in there, and then iOS will import it and trust it.
- why does marks the Let's Encrypt certificate as untrustworthy?
Because it's a _web_ certificate, and not an _eap_ certificate. They are very different things. For various technical reasons, "certificate" almost always means "web certificate". It's possible to have many different kinds of certs and CAs. For example there should really be a separate CA for EAP. Using the same CA for EAP as for the web arguably violates various CA/Browser forum rules. So it "works", in that people can get online using a LetsEncrpyt cert. But there are likely to be various complaints about the certificates, and the process is not as seamless as it should be. These issues are 100% on the OS vendors, the WiFi standards bodies, the CA/Browser forum, etc. It's just the way it is, and so far no one has been willing to fix them. The result is that the EAP workflow is weird, and there isn't much that anyone can do about it. Alan DeKok.
Hello Alan DeKok and Alan Buxey, thanks for help - with "MDM"+".mobileconfig", finding information is easy! But if I may, a few more questions: On Fri, 3 Oct 2025 11:00:57 -0400 Alan DeKok <alan.dekok@inkbridge.io> wrote:
On Oct 3, 2025, at 8:36 AM, Franta Hanzlík via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I finally managed to set up very basic EAP-PEAP and EAP-TTLS MSCHAP2 authentication in a Freeradius + Mikrotik MT network (users and their passwords in cleartext in text file), with a Let's Encrypt certificate in the eap{tls-config tls-common {}} section).
That's good.
Connecting from a Linux NTB and Android (v9 and v11) phone is without problems for both TTLS and PEAP, in the WiFi network settings I can choose a whole range of parameters (EAP method, phase 2 authentication method, certificate selection, CRL usage, domain, identity and anonymous identity,...).
That works, but isn't quite as good as it could be, for reasons I'll outline below.
i.e. you've done nothing wrong, but the Android / Linux workflow should be done better on their end.
And now I tried connecting an iOS (v15) tablet - and this device only requires a username and password. Then it asks if the user trusts Let's Encrypt certificate (which it says is untrusted), and then it connects to the network without any problems.
Yup.
Please excuse the possibly stupid questions, but I have no experience with Apple iOS devices at all - so I would like to ask for an explanation - is this normal with iOS? :
Yes.
- that you can't set basically any WiFi network parameters (after connecting, you can set automatic connection to the network, and randomization of the MAC address - but that's probably all)
You can, but you need to do that via a ".mobileconfig" file for iOS and OSX.
- when I used a certificate generated by the resources in raddb/certs/ instead of the Lets Encrypt certificate, both Linux and Android clients connected to the network, but the iOS tablet ended up with the error aka "Cannot connect to this network." - is that why?
No.
Do you mean that with a FR certificate generated using certs/Makefile, connecting an iOS device to a WiFi network should also work (probably after agreeing to an untrusted certificate)? It's possible that I made a mistake somewhere.
It's because iOS has no idea where that certificate comes from. It doesn't know about the certificate authority, and therefore doesn't trust the certificate.
I assumed that iOS contains some set of the most common CAs (like other major advanced OSes), and that it decides based on whether the NAS/FR certificate is signed by a CA known to it - therefore it accepted the Let's Encrypt certificate, and therefore rejected the connection with the self-generated certificate. When a supplicant makes an anonymous TLS tunnel, verifying the certificate to be issued by a known legitimate CA for a known server (-> domain) is the only applicable security feature. Most likely there are such "professional" certificates containing EAP purpose and name / organization / domain of the NAS operator). But that is beyond my small needs for now...
If you use a .mobileconfig, you can put the CA certificate and the server certificate in there, and then iOS will import it and trust it.
This is probably a solution for larger corporate networks. Not for when a friend comes to visit me with an iPad...
- why does marks the Let's Encrypt certificate as untrustworthy?
Because it's a _web_ certificate, and not an _eap_ certificate. They are very different things.
For various technical reasons, "certificate" almost always means "web certificate". It's possible to have many different kinds of certs and CAs. For example there should really be a separate CA for EAP. Using the same CA for EAP as for the web arguably violates various CA/Browser forum rules.
Indeed, when I look at the "Key usage" tab in XCA (the GUI SW CA manager I use), there are also the items "EAP over PPP" and "EAP over LAN" - most likely suitable for these purposes (
So it "works", in that people can get online using a LetsEncrpyt cert. But there are likely to be various complaints about the certificates, and the process is not as seamless as it should be.
These issues are 100% on the OS vendors, the WiFi standards bodies, the CA/Browser forum, etc. It's just the way it is, and so far no one has been willing to fix them. The result is that the EAP workflow is weird, and there isn't much that anyone can do about it.
Apple's approach seems reasonable, as the end user can connect without much technical knowledge. I was just surprised that it is very different from the configuration in Android/Linux/Windows.
Alan DeKok.
-- Again, many thanks for Your excellent support! Franta Hanzlík
On Oct 4, 2025, at 3:31 AM, Franta Hanzlík <franta@hanzlici.cz> wrote:
Do you mean that with a FR certificate generated using certs/Makefile, connecting an iOS device to a WiFi network should also work (probably after agreeing to an untrusted certificate)?
As I said, I mean that the CA is unknown to iOS, and it therefore rejects it. The solution is to use a mobileconfig file.
I assumed that iOS contains some set of the most common CAs (like other major advanced OSes),
As I said, those are WEB CAs. They are NOT CAs which are intended to be used for EAP. For a wide variety of reasons, those CAs are NOT accepted automatically for EAP.
When a supplicant makes an anonymous TLS tunnel, verifying the certificate to be issued by a known legitimate CA for a known server (-> domain)
For the web, you connect to "google.com <http://google.com/>", and can therefore verify that the server certificate is for "google.com <http://google.com/>" For EAP, you're connecting to a random SSID, and have no way to know what server should be on the other end. The SSID name has nothing to do with the service being offered. i.e. for EAP, there is no "domain", so there is no "known server".
Indeed, when I look at the "Key usage" tab in XCA (the GUI SW CA manager I use), there are also the items "EAP over PPP" and "EAP over LAN" - most likely suitable for these purposes (
In theory. In practice, those EKUs are not supported by the OS.
Apple's approach seems reasonable, as the end user can connect without much technical knowledge. I was just surprised that it is very different from the configuration in Android/Linux/Windows.
There is no standard in this space. Or if there are standards, the OS vendors ignore them. Alan DeKok.
On iOS, not as end end user. You can y de MDM software to configure that stuff or a .mobileconfig file. Other OSes are too permissive by default... and older OSes were very fussy (hello Windows mobile (RIP)) Alan On Fri, 3 Oct 2025, 13:37 Franta Hanzlík via Freeradius-Users, < freeradius-users@lists.freeradius.org> wrote:
I finally managed to set up very basic EAP-PEAP and EAP-TTLS MSCHAP2 authentication in a Freeradius + Mikrotik MT network (users and their passwords in cleartext in text file), with a Let's Encrypt certificate in the eap{tls-config tls-common {}} section).
Connecting from a Linux NTB and Android (v9 and v11) phone is without problems for both TTLS and PEAP, in the WiFi network settings I can choose a whole range of parameters (EAP method, phase 2 authentication method, certificate selection, CRL usage, domain, identity and anonymous identity,...). And now I tried connecting an iOS (v15) tablet - and this device only requires a username and password. Then it asks if the user trusts Let's Encrypt certificate (which it says is untrusted), and then it connects to the network without any problems.
Please excuse the possibly stupid questions, but I have no experience with Apple iOS devices at all - so I would like to ask for an explanation - is this normal with iOS? :
- that you can't set basically any WiFi network parameters (after connecting, you can set automatic connection to the network, and randomization of the MAC address - but that's probably all)
- when I used a certificate generated by the resources in raddb/certs/ instead of the Lets Encrypt certificate, both Linux and Android clients connected to the network, but the iOS tablet ended up with the error aka "Cannot connect to this network." - is that why?
- why does marks the Let's Encrypt certificate as untrustworthy? -- Thanks again, Franta Hanzlik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan Buxey -
Alan DeKok -
Franta Hanzlík