WiFi EAP authentication and iOS device setup options?

[Franta Hanzlík]

I finally managed to set up very basic EAP-PEAP and EAP-TTLS MSCHAP2 
authentication in a Freeradius + Mikrotik MT network (users and their 
passwords in cleartext in text file), with a Let's Encrypt certificate 
in the eap{tls-config tls-common {}} section).

Connecting from a Linux NTB and Android (v9 and v11) phone is without 
problems for both TTLS and PEAP, in the WiFi network settings I can 
choose a whole range of parameters (EAP method, phase 2 authentication
method, certificate selection, CRL usage, domain, identity and anonymous 
identity,...).
And now I tried connecting an iOS (v15) tablet - and this device only 
requires a username and password. Then it asks if the user trusts Let's 
Encrypt certificate (which it says is untrusted), and then it connects 
to the network without any problems.

Please excuse the possibly stupid questions, but I have no experience 
with Apple iOS devices at all - so I would like to ask for an explanation
 - is this normal with iOS? :

- that you can't set basically any WiFi network parameters (after 
connecting, you can set automatic connection to the network, and 
randomization of the MAC address - but that's probably all)

- when I used a certificate generated by the resources in raddb/certs/ 
instead of the Lets Encrypt certificate, both Linux and Android clients 
connected to the network, but the iOS tablet ended up with the error aka
"Cannot connect to this network." - is that why?

- why does marks the Let's Encrypt certificate as untrustworthy?
-- 
Thanks again, Franta Hanzlik