iOS 11 will prompt "Enter your password" when connecting to pre-configured WiFi network using EAP-TLS/802.1x

I am facing an issue where the user is prompted to "Enter your password" for a WPA2-Enterprise Wireless network pre-configured for EAP-TLS/802.1x via mobileconfig/SCEP.

You might have better luck asking this question over in Apple Support Communities, run by AppleCare, and specifically the in Business and Education topic areas, where you’re more likely to find folks with enterprise-grade Wi-Fi experience.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Quinn,

Thanks, I have asked in this forum, but I will be surprised if I get a response. In the meantime we are seeing more issues with iOS 11 and Wi-Fi:

https://discussions.apple.com/message/32231257

So far we have identified the following changes that impact iOS users:
1. The issue described above
2. CNA no longer allows deployment of .mobileconfig
3. Server validation now requires a Certificate, no longer optional

I have also seen other posts now on issues with iOS 11 that we have not seen yet and are yet to confirm:

https://forums.developer.apple.com/message/260764#260764

I also tried opening a TSI (twice...) receiving a response "mobileconfig is not a software issue, please try end-user", but as I told the TSI people I am trying to indicate the fact we are dealing with a BUG.

I have also opened a BUG report, but again do not feel this will get picked up any time soon:

https://bugreport.apple.com/web/?problemID=34429353

If you have anymore tips on how we can get this "noticed" by Apple I am open to suggestions.

Thanks,

S.

OK, here’s a quick summary of your options:

• You should definitely file a bug about any problems you see. This is free and easy, so there’s really no downside.

• Apple Developer Forums is a free-to-use place to discuss code-level problems. If you were, for example, writing an app and found that some specific API was misbehaving on iOS 11, this would be a good place to ask about that.

• Apple Developer Technical Support (the group I work for) provides ‘paid for’ code-level support. We support the APIs in Apple’s platform SDKs and various other developer-oriented things (like hardware development). We do not support user-level things.

  You can learn more about DTS’s support options on our page on the developer web site.

• AppleCare supports user-level things, and that includes configuration profiles. AppleCare provides a variety of ‘paid for’ support options. I don’t work for AppleCare and thus am not able to discuss those options in detail, but I figured you might find the following links useful:

  • AppleCare for Enterprise

  • AppleCare Pay-Per-Incident Support

• Apple Support Communities is AppleCare’s equivalent of DevForums, a free-to-use area where folks can discuss their issues.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for all the help. I had already filed a bug, but seeing no response now for about 5 days.

I have tried Apple Care before, but before I can actually talk to someone I need to jump through a number of hoops.

As you guys seem to be software related, here is at least the snippet from the iOS log where we feel things are failing:

...
Sep 21 16:16:20 Lenovos-iPhone securityd[87] <Notice>: insert failed for item <cert,rowid=null,cdat=2017-09-21 10:46:20 +0000,mdat=2017-09-21 10:46:20 +0000,ctyp=3,cenc=3,labl=1B5A8EFC-C1D8-48E6-ABE7-08701DF99CC1,alis=null,subj=310B300906035504061302555331163014060355040A130D47454F545255535420494E432E311B30190603550403131247454F545255535420474C4F42414C204341,issr=310B300906035504061302555331163014060355040A130D47454F545255535420494E432E311B30190603550403131247454F545255535420474C4F42414C204341,slnr=023456,skid=C07A98688D89FBAB05640C117DAA7D65B8CACC4E,pkhh=00F92AC34191B6C9C2B83E55F2C0971113A00720,data=05a0:030000800B000000...|f226970881333c81,agrp=com.apple.certificates,pdmn=dku,sync=0,tomb=0,sha1=D16738E071F24E2DDD25CD4649185C1BCDF31436,vwht=null,tkid=null,v_Data=<?>,v_pk=65EC44D1D82DBF3AD56FBEFBAEE71058A6360BDF,accc=null,u_Tomb=null,musr=,UUID=25480094-1F93-4153-98C0-4B64AF981F29,sysb=null,pcss=null,pcsk=null,pcsi=null,persistref=> with Error Domain=com.apple.utilities.sqlite3 Code=19 "finalize: 0x10324bec0: [19->2067] UNIQUE constraint failed: cert.ctyp, cert.issr, cert.sln
Sep 21 16:16:20 Lenovos-iPhone securityd[87] <Notice>: profiled[134]/1#51 LF=0 add Error Domain=NSOSStatusErrorDomain Code=-25299 "duplicate item O,cert,65EC44D1,L,dku,com.apple.certificates,0,ctyp,cenc,labl,subj,issr,slnr,skid,pkhh,v_Data,musr,20170921104620.923733Z,D16738E0" UserInfo={NSDescription=duplicate item O,cert,65EC44D1,L,dku,com.apple.certificates,0,ctyp,cenc,labl,subj,issr,slnr,skid,pkhh,v_Data,musr,20170921104620.923733Z,D16738E0}
...

Sep 21 16:16:34 Lenovos-iPhone eapolclient[597] <Notice>: EAPSecIdentityHandleCreateSecIdentity failed, -25300
...
Sep 21 16:16:34 Lenovos-iPhone Preferences(EAP8021X)[404] <Notice>: EAPSecIdentityHandleCreate() failed, -ep 21 16:16:34 Lenovos-iPhone Preferences(WiFiKit)[404] <Error>: -[WFMutableNetworkProfile enterpriseProfile]: failed to create SecIdentity handle for identity

S.

I had already filed a bug, but seeing no response now for about 5 days.

That’s not unexpected. Unless the folks looking at the bug need more information from you, you won’t hear back from them until the bug is fixed. Such fixes require a release vehicle. And while I can’t reliably predict The Future™, it’s historically been the case that new versions of iOS only show up every few months and are preceded by a seeding period (announced via our News and Updates page, which has a handy RSS feed).

As you guys seem to be software related …

I’m not just a software guy, I’m a networking guy! But iOS is sufficiently complicated that my extensive experience with networking APIs doesn’t help with specialist situations like this.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi I am using WAP2 Enterprise .(Radius NPS ) .The issue is all the Iphones which are on IOS 10 are abale to connect successfully but with IOS 11 it does not work .Is there any Know bug on IOS11 with WPA2 Authentication .I tried resetting Network settings ,No success.

Further to inform :

When using WPA2 Enterprise authentication .Ios 11 phones when enter the username and passord ,they do not get option in ios 11 to trust the certificate sent by

Firewall .

To conclude whether Firewall is sending the certificate to End ios 11 phone .We captured the Wireshark packets in both ios 10 and ios 11 cases.

We found Access-Challenge sent by firewall having Extensible Authentication Protocol field set to type :Tunneled TLS EAP (EAP-TTLS) 21 but there was not response coming back from IOS11 users .

This seems to be a bug at Apple IOS 11 .

I recommend that you read my 21 Sep post and follow the advice I give there. Apple Developer Forums is a good place to discus API-level issues. Your question is not about APIs but about the behaviour of built-in system components, and thus you’re more likely to find answers via a user-focused support channel.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"