How do I configure an iPad to use EAP-TLS?

CONFIGURING EAP-TLS AUTHENTICATION on IOS DEVICES:

Instructions were developed using IOS 11 and IOS/iPADOS 13.3 to configure both iPhones & iPads for EAP-TLS authentication using certificates.

If you wish to learn how the certificates were generated- or how to configure the EAP-TLS Authentication on the router's side (using a MikroTik)- please go HERE.

PROCESS OVERVIEW:

A) Configure Certificates:

For each device we will in turn: - Download and configure the CA certificate - Download and configure the Client Certificate

B) Configure Authentication:

Once the certs are in place and configured on the device, we next configure the wireless network connection that uses them.

C) Configure Connection:

Configure the WiFi connection to use EAP-TLS

PROCESS:

Configure CA CERTIFICATE:

Open Safari on your iPhone/iPad and navigate to where your certificates live. Do NOT use any other web browser!! Safari will identify them as certificates and offer to install them.

Download CA cert to IOS Device There are (2) certs we'll be working with: The CA cert & Client cert

Download CA Certificate FIRST: "cert_export_CAF1Linux***.crt***" NOTE the ".crt" file extension. Choose "Allow" when prompted.

Safari Dialog downloading CA Cert

Profile Download Feedback

Configure CA PROFILE:

Navigate to: "Settings" > "General" > "Profiles"

Settings > General > Profiles

Go to the CA certificate which appears as a "Downloaded Profile" and click it:

Go to the CA Cert

Click "Install" at top-right corner of screen

Profile Install Dialog

Enter device's 6 digit pass code:

Passcode dialog screen

Ignore warning displayed (we created the cert after all) and click "Install":

Install Warning Dialog for CA cert

Post-Install Warning Dialog

Click "Done" in top right corner of screen.

Finish CA Profile Install

Verify the CA certificate installed successfully.

Configure CLIENT CERTIFICATE:

Go back to Safari and download the CLIENT certificate's pkcs12 cert which has the extension ".p12" to the IOS / iPADOS device. Choose "Allow" when prompted.

Download Client Cert Dialog

Profile Download Feedback

Configure CLIENT PROFILE:

Navigate to: "Settings" > "General" > "Profiles" and choose the Client cert which appears as a new "Downloaded" profile and click it:

Download CLIENT cert to IOS Device

Install Client Cert:

Install Client Cert

Enter Passcode

Install Warning Dialog

Click Install for the millionth time

This time you'll be prompted to enter the passphrase the pkcs12 Client certificate was exported with. "Next" in top right corner will become active after successfully entering passphrase; click it.

Enter Passphrase PKCS12 Client Cert exported with

After installing, the cert will initially display an incorrect status of "Not Signed". Ignore this. When we check it again it will show a status of "Verified":

Incorrect status initially shown

Click "Profiles" to go back to main "Profiles" screen and choose the Client certificate profile.

Main "Profiles" Screen

The Profile now reflects the correct status "Verified":

Correct Signed Status Displayed

WARNING:

Only proceed to next step "Configure AUTHENTICATION" after installing BOTH certs and each one's status report "Verified". You will be wasting your time trying to connect if this step is not completed properly. And pulling out large amounts of hair in frustration...

Configure AUTHENTICATION:

This example uses a hidden network. Go to "WiFi" > "Other Network" to begin setting the connection parameters for the EAP-TLS SSID. Your connection parameters should look as below:

WiFi Config Settings

Client AUTHENTICATION:

When you finally connect, you'll be presented with a warning to "Trust" a certificate. This will be the cert used by the Wireless Interface:

Cert Warning of Wireless Interface

That's it, you're done.