I am trying to use the hotspotConfiguration APIs to setup an EAP-PEAP configuration.
The issue is that the server certificates are causing the EAP configuration to fail.
For Background, I know everything works with a mobileconfig profile so username, password and the certificate used in the profile all work with the radius server. This is issue is with trying to do this through the hotspotConfiguration APIs in iOS11.
The process I follow is:
1. Store a certificate in the keychain. It is in DER format and I read it in B64 format but decode it programmatically,
The APIs all return successfully so seems ok. If I put in an incorrect certificate it fails so it looks like the certificate format is at least ok.
NSDictionary* addquery = @{
(id)kSecValueRef: (__bridge id)certificate,
(id)kSecClass: (id)kSecClassCertificate,
(id)kSecAttrLabel: @"My Certificate",
};
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)addquery, NULL);
if (status != errSecSuccess) {
/
}
2. retrieve a reference to the certificate ssems to work and a reference comes back.
NSDictionary *getquery = @{ (id)kSecClass: (id)kSecClassCertificate,
(id)kSecAttrLabel: @"My Certificate",
(id)kSecReturnRef: @YES,
};
SecCertificateRef certificate = NULL;
OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)getquery,
(CFTypeRef *)&certificate);
3. Add it to the eap peap configuration
I configure the NEHotspotEAPSettings with EAPtype=25 (PEAP), username and password.
Then add the server trust with the following
setTrustedServerCertificates:(NSArray *)certificate;
4. Then try to apply the profile and it fails with the error message "invalid EAP configuration"
Removing the certificate from the profile and adding in a trustedServerName instead results in a succesful configuration and the app does configure the network and try to join. but this is not acceptable in my network (radius rejects it). So I need the certificate.
There seem to be a few nuances and I'm wondering what is the right setup to make this work.
- There is a mention in the documentation to a persistent reference so maybe this is something to do with it. But the above call returns true so I'm not sure that is it.
- The certificate we use is a wildcard certificate - it works in the mobileconfig so it should be ok?
- The certificate we are using is CA signed but not directly trusted unless the intermediate certificates are in place. I have tried setting up a NSArray of certificates and adding them all the the EAP configuration but that doesn't help - same error. I have tried making a single chain certificate but the import APIs fail to add it to the keychain.
Only other things I can think of is that there is some nuance or flags needed in the certificate for these APIs to accept it. But the same certificate works in a mobileconfig so I'm not sure it is that.
I guess it would be good to know that the APIs do work and if so maybe help put me right on whatever is going wrong. Maybe some example code for the above that is known to work?
Thanks