I figured out how to get EAP-TLS wireless authentication working for iPads using publicly signed certificates with the Client Authentication OID.
Here’s the basic rundown:
Once I got the certs, I imported it (as a p12 with both the cert and key), plus the certs for my RADIUS servers into a configuration profile, added a wireless configuration profile, checked EAP-TLS and selected my client/authentication cert.
I also added my RADIUS certs as 'trusted' for the connection so it wouldn't prompt users to trust them when the profile got installed.
Now for us, I’m only (currently anyway) deploying these to groups or carts of iPads, because those areas should be keeping track of who is using iPads at what time for auditing purposes. It would probably be possible to use SCEP, and Jamf API and powershell to automagicify the whole process, but this was good enough for me, considering how soon school is starting (and that could create a TON of radius policies).
Let me know if you want/need any more detail on how to set this up and I’ll be happy to help!
"I also added my RADIUS certs as 'trusted' for the connection so it wouldn't prompt users to trust them when the profile got installed."
For the life of me, no matter what I add to the profile and different combinations of certs and tick boxes and CAs etc the iPads ALWAYS prompt the user to trust my RADIUS cert. Did you ever come across this issue?
This is quite complex, and does depend on your setup.
We have a wireless profile, with a root CA, and a template cert with $SERIALNUMBER and $USERNAME as fields, which is then populated by Jamf ADCS that talks to an internal CA. Both certs and the profile and install trusted on the device.