EAP-PEAP configuration for android api > 29

[JeGoi]

Describe the bug
For API>29, the PaketFence Android Agent needs the CA certificate public key that has signed the radius certificate.

To Reproduce
Use an android device with API 30 (Android 11)
Use the android agent 2.4.0 from Google Playstore
Use Radius self-signed certificate
Use android Provisioner (with pki settings etc.)
Try EAP PEAP connection.
=> The current Android application crash due to this test:
https://cs.android.com/android/platform/superproject/+/master:frameworks/base/wifi/java/android/net/wifi/WifiEnterpriseConfig.java;l=1426;drc=master

Expected behavior
EAP PEAP Connection trough PacketFence-Android-Agent for Android API > 29 (more than android 10)

How to fix

• Add a new field for the CA public key in Android Provisioner after the "RADIUS server certificate path".
• Add this new field in the lib/pf/provisioner/mobileconfig.pm and where it is needed ;)
• Change eap peap xml file (html/captive-portal/templates/wireless-profile-peap.xml) to get the CA content form the previous field.
• Test if the new eap peap xml is running well with other devices (Apple, Windows, etc)

It has been tested with sucess by changing a xml modified by hand, using an Android 11 and a modified android agent.
In the example bellow, the Android Agent grab the CA with the PayloadType and com.apple.security.ca.

Example:

# cat /usr/local/pf/html/captive-portal/templates/wireless-profile-peap.xml 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!-- Generated by the iPhone Configuration Utility /-->
<plist version="1.0">
<dict>
        <key>PayloadContent</key>
        <array>
                <dict>
                        <key>AutoJoin</key>
                        <true/>
[...]
                        <key>PayloadType</key>
                        <string>com.apple.wifi.managed</string>
[...]
                </dict>
                <dict>
                        <key>PayloadCertificateFileName</key>
                        <string>[% provisioner.server_certificate_cn() %]</string>
[...]
                        <key>PayloadType</key>
                        <string>com.apple.security.root</string>
[...]
                </dict>
                <dict>
                        <key>PayloadContent</key>
                        [% IF for_windows || for_android %]
<!-- Here there is the raw content of the public ca cert /-->
                        <string>
MIID5DCCAsygAwIBAgIBATANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJDQTEN
MAsGA1UECBMETm9uZTENMAsGA1UEBxMETm9uZTENMAsGA1UECRMETm9uZTENMAsG
[...]
KU/78Hsljv7g09mkVneRtrOd8hqKK7Mcb3Ycj+xHu4V8vop0p9ri/bIK+tIM+/Ag
z+csGKEght9Mmc6uh/EFdZ6mFDUvYSRAeO9Zcs9yre54lJH7VpADKEn2PeO1PdAS
2ZiPL6mU5kaYE6drG9qCiBBti2aIvxD7ox1SDM+q/GK6H+Ji6Ser+w==
                        </string>
                        [% END %]
                        <key>PayloadType</key>
                        <string>com.apple.security.ca</string>
                </dict>
        </array>
        <key>PayloadDescription</key>
        <string>Profile description.</string>
[...]
        <key>PayloadUUID</key>
        <string>5F3EC12F-570E-48EE-A433-E8DC8E9EC4FE</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
</dict>
</plist>

[nqb]

@JeGoi, I did a proposal on #3432 (comment) regarding this issue.

Regarding, your proposal, I think we should keep com.apple.security.root in place of com.apple.security.ca because we are sure it works on Apple devices and also with our packetfence-windows-agent.

[JeGoi]

@nqb Well, for the name, it was just an example. We just have to know what it will be to fix it in the android agent.
With android, we need the cn from the current xml file (or a way to find it). So, for android, the current XML is just a part of the solution. I am not sure that your proposal will fix our problem with Android 11.

[nqb]

@JeGoi, could you indicate what need our PacketFence-Android-Agent:

1. with API < 29
2. with API > 29

to install a connection profile when using an Android provisioner configured for EAP-PEAP ?

I didn't see any references to the cn you just mentioned in the description of this issue.

[JeGoi]

@nqb Yes Sure. I did not mention the cn because it is already there and available in the current xml file.

                        <key>PayloadCertificateFileName</key>
                        <string>[% provisioner.server_certificate_cn() %]</string>
[...]
                        <key>PayloadType</key>
                        <string>com.apple.security.root</string>

with api < 29 the current Android Agent (2.4.0) and current xml are fine to use eap peap with an Android Provisioner.
with api >=29 the current Android Agent (2.4.0) is not working. To fix it, we need a modification of the xml to get the provisioner.server_certificate_cn() of the "Radius self-signed certificate" and we also need the "Radius CA public key" that has been used to create the certificate. We need both to fix the WifiEnterpriseConfig() in WifiNetworkSuggestion().

[nqb]

As discussed with @JeGoi, requirements for Android Agent starting from API >= 29:

EAP-PEAP

• CN of RADiUS certificate (already presents)
• CA certificate that signed RADIUS certificate (not presents)

EAP-TLS

• CN of RADiUS certificate (not presents)
• CA certificate that signed RADIUS certificate (already presents)