WiFi EAP authentication and iOS device setup options?

Franta Hanzlík franta at hanzlici.cz
Sat Oct 4 07:31:45 UTC 2025 

Hello Alan DeKok and Alan Buxey,

thanks for help - with "MDM"+".mobileconfig", finding information is easy!
But if I may, a few more questions:

On Fri, 3 Oct 2025 11:00:57 -0400
Alan DeKok <alan.dekok at inkbridge.io> wrote:

> On Oct 3, 2025, at 8:36 AM, Franta Hanzlík via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> > I finally managed to set up very basic EAP-PEAP and EAP-TTLS MSCHAP2 
> > authentication in a Freeradius + Mikrotik MT network (users and their 
> > passwords in cleartext in text file), with a Let's Encrypt certificate 
> > in the eap{tls-config tls-common {}} section).  
> 
>   That's good.
> 
> > Connecting from a Linux NTB and Android (v9 and v11) phone is without 
> > problems for both TTLS and PEAP, in the WiFi network settings I can 
> > choose a whole range of parameters (EAP method, phase 2 authentication
> > method, certificate selection, CRL usage, domain, identity and anonymous 
> > identity,...).  
> 
>   That works, but isn't quite as good as it could be, for reasons I'll
> outline below.
> 
>   i.e. you've done nothing wrong, but the Android / Linux workflow should
> be done better on their end.
> 
> > And now I tried connecting an iOS (v15) tablet - and this device only 
> > requires a username and password. Then it asks if the user trusts Let's 
> > Encrypt certificate (which it says is untrusted), and then it connects 
> > to the network without any problems.  
> 
>   Yup.
> 
> > Please excuse the possibly stupid questions, but I have no experience 
> > with Apple iOS devices at all - so I would like to ask for an explanation
> > - is this normal with iOS? :  
> 
>   Yes.
> 
> > - that you can't set basically any WiFi network parameters (after 
> > connecting, you can set automatic connection to the network, and 
> > randomization of the MAC address - but that's probably all)  
> 
>   You can, but you need to do that via a ".mobileconfig" file for iOS and OSX.
> 
> > - when I used a certificate generated by the resources in raddb/certs/ 
> > instead of the Lets Encrypt certificate, both Linux and Android clients 
> > connected to the network, but the iOS tablet ended up with the error aka
> > "Cannot connect to this network." - is that why?  
> 
>   No.

Do you mean that with a FR certificate generated using certs/Makefile, 
connecting an iOS device to a WiFi network should also work (probably 
after agreeing to an untrusted certificate)?
It's possible that I made a mistake somewhere.

>   It's because iOS has no idea where that certificate comes from.  It
> doesn't know about the certificate authority, and therefore doesn't trust
> the certificate.

I assumed that iOS contains some set of the most common CAs (like other 
major advanced OSes), and that it decides based on whether the NAS/FR 
certificate is signed by a CA known to it - therefore it accepted the 
Let's Encrypt certificate, and therefore rejected the connection with 
the self-generated certificate.

When a supplicant makes an anonymous TLS tunnel, verifying the certificate 
to be issued by a known legitimate CA for a known server (-> domain) is 
the only applicable security feature. Most likely there are such 
"professional" certificates containing EAP purpose and name /
 organization / domain of the NAS operator). But that is beyond my small 
needs for now...

>   If you use a .mobileconfig, you can put the CA certificate and the
> server certificate in there, and then iOS will import it and trust it.

This is probably a solution for larger corporate networks.
Not for when a friend comes to visit me with an iPad...


> > - why does marks the Let's Encrypt certificate as untrustworthy?  
> 
>   Because it's a _web_ certificate, and not an _eap_ certificate.  They
> are very different things.
> 
>   For various technical reasons, "certificate" almost always means "web
> certificate".  It's possible to have many different kinds of certs and
> CAs.  For example there should really be a separate CA for EAP.  Using
> the same CA for EAP as for the web arguably violates various CA/Browser
> forum rules.

Indeed, when I look at the "Key usage" tab in XCA (the GUI SW CA manager 
I use), there are also the items "EAP over PPP" and "EAP over LAN" - most 
likely suitable for these purposes (

>   So it "works", in that people can get online using a LetsEncrpyt cert.
> But there are likely to be various complaints about the certificates, and
> the process is not as seamless as it should be.
> 
>   These issues are 100% on the OS vendors, the WiFi standards bodies, the
> CA/Browser forum, etc.  It's just the way it is, and so far no one has
> been willing to fix them.  The result is that the EAP workflow is weird,
> and there isn't much that anyone can do about it.

Apple's approach seems reasonable, as the end user can connect without much 
technical knowledge. I was just surprised that it is very different from 
the configuration in Android/Linux/Windows.

> 
>   Alan DeKok.
-- 
Again, many thanks for Your excellent support!
Franta Hanzlík

More information about the Freeradius-Users mailing list