No valid outer EAP type in configuration

[martijnkruiten]

I'm using version 2.2 on iOS 17.5.1. When I try to install the SURF profile, it shows me this error:

Failed to connect No valid outer EAP type in configuration

Somehow one of my colleagues was able to obtain and install the same profile after an initial failed attempt (with another error that I can't recall), but for me it fails consistently.

[pauldekkers]

I'm using the exact same versions and profile, and it works for me.

Is your phone managed by internal services? (Looking for differences.)

[martijnkruiten]

No, this is a private phone. I've just downloaded the profile directly from cat.eduroam.org and that works without any issues.

[johankool]

Looking at the code I see only one place where this error is thrown and that can happen if either createNetworkConfigurations: setTrustedServerCertificates: returned false or createNetworkConfigurations: No server names and no custom CAs set; there is no way to verify this network. Of these the first one seems more likely, as the second one seems more likely to affect all users the same way.

So it seems the most likely scenario is that your phone for some reason doesn't trust the certificates, or is set up in a way that it doesn't have permission to do so.

[johankool]

If you are up for it, you can get some logging out of your phone that would help with understanding what's going on.

1. Connect your iPhone via USB cable to a Mac
2. Launch the Console app
3. Select your phone
4. Start streaming messages
5. Filter on "geteduroam" process and/or "eap" category
6. Attempt to connect in the geteduroam app

Check that Action > Include Info Messages and Action > Include Debug Messages are enabled.

[martijnkruiten]

In that case, this might be the difference:

On the unmanaged iPhone it doesn't make a difference whether I trust these root certificates, but on the managed iPhone I guess it includes a critical SURF provides root certificate.

[johankool]

@martijnkruiten Does it work for you now on your managed iPhone? Could you change the trust setting, or did your admin change that? (It looks disabled in the screenshot.)

[martijnkruiten]

It doesn't work on my private iPhone, but it does work on my managed iPhone. I’ve used the same EAP file on both phones for this test. On the managed iPhone the root certificates are accepted and this setting can't be changed. Judging from the label of the setting, it appears as if SURF also pushes some of their own certificates to their managed iPhones. On my private iPhone it doesn't make a difference whether or not I accept the root certificates that are included by default by Apple: it doesn't work either way.

[johankool]

Instructions for testing "No valid outer EAP type in configuration" workaround

1. Install build from TestFlight version 2.4 (build 132)
2. Type "geheim" in the search field
3. Select text, tap and copy to pasteboard
4. Tap at least 10 times quickly on the white eduroam logo
5. Tap and hold the search icon
6. Choose "App configuration" from the menu
7. Enable "Ignore Server Certificate Import Failure" and/or "Ignore Missing Certificate Name" toggles
8. Swipe down to close the menu
9. Go through connect flow

Note: the flags are reset when the app is relaunched

[martijnkruiten]

It works with the "Ignore Server Certificate Import Failure" option enabled, though I'm not in range of an eduroam network to test the connection right now. The other option is not needed.