WiFi EAP authentication and iOS device setup options?

Sat Oct 4 12:17:35 UTC 2025

On Oct 4, 2025, at 3:31 AM, Franta Hanzlík <franta at hanzlici.cz> wrote:
> Do you mean that with a FR certificate generated using certs/Makefile, 
> connecting an iOS device to a WiFi network should also work (probably 
> after agreeing to an untrusted certificate)?

  As I said, I mean that the CA is unknown to iOS, and it therefore rejects it.  The solution is to use a mobileconfig file.

> I assumed that iOS contains some set of the most common CAs (like other 
> major advanced OSes),

  As I said, those are WEB CAs.  They are NOT CAs which are intended to be used for EAP.

  For a wide variety of reasons, those CAs are NOT accepted automatically for EAP.

> When a supplicant makes an anonymous TLS tunnel, verifying the certificate 
> to be issued by a known legitimate CA for a known server (-> domain)

  For the web, you connect to "google.com <http://google.com/>", and can therefore verify that the server certificate is for "google.com <http://google.com/>"

  For EAP, you're connecting to a random SSID, and have no way to know what server should be on the other end.  The SSID name has nothing to do with the service being offered.

  i.e. for EAP, there is no "domain", so there is no "known server".

> Indeed, when I look at the "Key usage" tab in XCA (the GUI SW CA manager 
> I use), there are also the items "EAP over PPP" and "EAP over LAN" - most 
> likely suitable for these purposes (

  In theory.

  In practice, those EKUs are not supported by the OS.

> Apple's approach seems reasonable, as the end user can connect without much 
> technical knowledge. I was just surprised that it is very different from 
> the configuration in Android/Linux/Windows.

  There is no standard in this space.  Or if there are standards, the OS vendors ignore them.

  Alan DeKok.