After Root CA rotation, installed profile does not work

[DanSheps]

Good Evening,

Unfortunately I cannot provide as much detail as you might like, however I will try my best to provide what I can.

We are encountering a unique issue with the geteduroam app on iOS based phones and tablets.

Steps to recreate (best guess):

1. Setup an internal CA (we used our Windows Enterprise CA)
2. Issue a eap certificate to your NAC
3. Configure the eduroam settings
4. Install profile on device using the app
5. Roll your CA certificate (we re-keyed our CA and re-issued the CA certificate)
6. Update the eduroam settings
7. Attempt to re-install the certificate

Expected:

• The profile will install cleanly and connect without any issues

Observed:

• The profile installs cleanly
• NAC reports a certificate error (and subsequent disconnects before completing the full handshake)
• Wireshark reports a TLS certificate mismatch within the SSL channel

Notes:

• The old method (cat.eduroam.org) would install a "VPN profile". Whatever happens now happens outside of that. I suspect you are modifying the trust store directly.
• The certificate is not visible in Settings > General > About > Certificate Trust Settings
• Installing the profile on other systems works without issue on Android and Windows
• Installing the profile via CAT (which installs a "VPN profile", not whatever the new method does) also works on the iOS device. Only the geteduroam app fails to properly install the profile

I did post about this on the eduroam mailing list and got very little traction, since I suspect many organizations do not have a need to rotate their CA certificate with key within the short timespan the app has been available.

[johankool]

The method is not new to the iOS app. The previous 1.x app used the same technique, but it does indeed get configured differently from installing a profile via CAT.

For another CA related issue I shared these steps. I am curious if enabling either of these two feature flags would solve your issue too.

Instructions for testing "No valid outer EAP type in configuration" workaround

1. Install build from TestFlight version 2.4 (build 132)
2. Type "geheim" in the search field
3. Select text, tap and copy to pasteboard
4. Tap at least 10 times quickly on the white eduroam logo
5. Tap and hold the search icon
6. Choose "App configuration" from the menu
7. Enable "Ignore Server Certificate Import Failure" and/or "Ignore Missing Certificate Name" toggles
8. Swipe down to close the menu
9. Go through connect flow

Note: the flags are reset when the app is relaunched

Other than that it would/might be helpful if you can share the log of a device trying to connect. For that you need to connect your iOS device to a Mac using a cable, launch the Console.app and filter on the geteduroam subsystem.

[DanSheps]

The method is not new to the iOS app. The previous 1.x app used the same technique, but it does indeed get configured differently from installing a profile via CAT.

Thanks,

I will see if I can locate a problematic phone (some people how now just simply used the cat profile) and get back to you.