WiFi EAP authentication and iOS device setup options?

Alan DeKok alan.dekok at inkbridge.io
Fri Oct 3 15:00:57 UTC 2025 

On Oct 3, 2025, at 8:36 AM, Franta Hanzlík via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I finally managed to set up very basic EAP-PEAP and EAP-TTLS MSCHAP2 
> authentication in a Freeradius + Mikrotik MT network (users and their 
> passwords in cleartext in text file), with a Let's Encrypt certificate 
> in the eap{tls-config tls-common {}} section).

  That's good.

> Connecting from a Linux NTB and Android (v9 and v11) phone is without 
> problems for both TTLS and PEAP, in the WiFi network settings I can 
> choose a whole range of parameters (EAP method, phase 2 authentication
> method, certificate selection, CRL usage, domain, identity and anonymous 
> identity,...).

  That works, but isn't quite as good as it could be, for reasons I'll outline below.

  i.e. you've done nothing wrong, but the Android / Linux workflow should be done better on their end.

> And now I tried connecting an iOS (v15) tablet - and this device only 
> requires a username and password. Then it asks if the user trusts Let's 
> Encrypt certificate (which it says is untrusted), and then it connects 
> to the network without any problems.

  Yup.

> Please excuse the possibly stupid questions, but I have no experience 
> with Apple iOS devices at all - so I would like to ask for an explanation
> - is this normal with iOS? :

  Yes.

> - that you can't set basically any WiFi network parameters (after 
> connecting, you can set automatic connection to the network, and 
> randomization of the MAC address - but that's probably all)

  You can, but you need to do that via a ".mobileconfig" file for iOS and OSX.

> - when I used a certificate generated by the resources in raddb/certs/ 
> instead of the Lets Encrypt certificate, both Linux and Android clients 
> connected to the network, but the iOS tablet ended up with the error aka
> "Cannot connect to this network." - is that why?

  No.

  It's because iOS has no idea where that certificate comes from.  It doesn't know about the certificate authority, and therefore doesn't trust the certificate.

  If you use a .mobileconfig, you can put the CA certificate and the server certificate in there, and then iOS will import it and trust it.

> - why does marks the Let's Encrypt certificate as untrustworthy?

  Because it's a _web_ certificate, and not an _eap_ certificate.  They are very different things.

  For various technical reasons, "certificate" almost always means "web certificate".  It's possible to have many different kinds of certs and CAs.  For example there should really be a separate CA for EAP.  Using the same CA for EAP as for the web arguably violates various CA/Browser forum rules.

  So it "works", in that people can get online using a LetsEncrpyt cert.  But there are likely to be various complaints about the certificates, and the process is not as seamless as it should be.

  These issues are 100% on the OS vendors, the WiFi standards bodies, the CA/Browser forum, etc.  It's just the way it is, and so far no one has been willing to fix them.  The result is that the EAP workflow is weird, and there isn't much that anyone can do about it.

  Alan DeKok.

More information about the Freeradius-Users mailing list