After Root CA rotation, installed profile does not work

DanSheps commented 3 weeks ago

Good Evening,

Unfortunately I cannot provide as much detail as you might like, however I will try my best to provide what I can.

We are encountering a unique issue with the geteduroam app on iOS based phones and tablets.

Steps to recreate (best guess):

Setup an internal CA (we used our Windows Enterprise CA)
Issue a eap certificate to your NAC
Configure the eduroam settings
Install profile on device using the app
Roll your CA certificate (we re-keyed our CA and re-issued the CA certificate)
Update the eduroam settings
Attempt to re-install the certificate

Expected:

The profile will install cleanly and connect without any issues

Observed:

The profile installs cleanly
NAC reports a certificate error (and subsequent disconnects before completing the full handshake)
Wireshark reports a TLS certificate mismatch within the SSL channel

Notes:

The old method (cat.eduroam.org) would install a "VPN profile". Whatever happens now happens outside of that. I suspect you are modifying the trust store directly.
The certificate is not visible in Settings > General > About > Certificate Trust Settings
Installing the profile on other systems works without issue on Android and Windows
Installing the profile via CAT (which installs a "VPN profile", not whatever the new method does) also works on the iOS device. Only the geteduroam app fails to properly install the profile

I did post about this on the eduroam mailing list and got very little traction, since I suspect many organizations do not have a need to rotate their CA certificate with key within the short timespan the app has been available.

johankool commented 2 weeks ago

The method is not new to the iOS app. The previous 1.x app used the same technique, but it does indeed get configured differently from installing a profile via CAT.

For another CA related issue I shared these steps. I am curious if enabling either of these two feature flags would solve your issue too.

Instructions for testing "No valid outer EAP type in configuration" workaround

Install build from TestFlight version 2.4 (build 132)
Type "geheim" in the search field
Select text, tap and copy to pasteboard
Tap at least 10 times quickly on the white eduroam logo
Tap and hold the search icon
Choose "App configuration" from the menu
Enable "Ignore Server Certificate Import Failure" and/or "Ignore Missing Certificate Name" toggles
Swipe down to close the menu
Go through connect flow

Note: the flags are reset when the app is relaunched

Other than that it would/might be helpful if you can share the log of a device trying to connect. For that you need to connect your iOS device to a Mac using a cable, launch the Console.app and filter on the geteduroam subsystem.

DanSheps commented 2 weeks ago

The method is not new to the iOS app. The previous 1.x app used the same technique, but it does indeed get configured differently from installing a profile via CAT.

Thanks,

I will see if I can locate a problematic phone (some people how now just simply used the cat profile) and get back to you.

geteduroam / apple-app