Issues with EAP-TLS and Galaxy S24 Ultra

I recently upgraded my phone to the new Samsung Galaxy S24 Ultra and have spent the last 24 hours setting it up only to find that when I tried to connect to my Wireless network using my certificates, it wasn't working. It failed on the SSL Handshake and wouldn't accept the Cisco ISE Servers certificate as trusted. 

I'd made sure I had added all the CA and even the ICA certificates and the same user certificate etc and was configuring the session settings the same but it was still failing. Sometimes It wouldn't even register on the Radius server which made things difficult to troubleshoot (And yes i'd disabled the logging setting for failed logins in ISE). Now I will say that with Android 14 (At least the Samsung Android 14) the connection settings for connecting to a Wireless EAP-TLS network are a bit different, there were a couple of specific things I had to do differently. Once of which I will still have to play around with as it was to turn off certificate validation which i thought was working on my old phone but when I went back to it i also had to disable validation so maybe I was wrong. 

So as any tech head would do, I started googling and spent quite a number of hours on this issue. Given it was an SSL handshake failure, I tried replacing the certificates on my phone and even revoked and generate new user certificates but still had the same issue. The only thing I didn't do was re-create the server certificate and that's because my Wired EAP-TLS was still working perfectly with the same server certificates and it also worked perfectly on other older phones. 

I would like to say that I did have some success by creating the certificate in PFX format. It connected once but once i disconnected it refused to connect again. Anyway just as an FYI to you all, to create a pfx format certificate If you have followed my CA/ICA server build guide, the command is as follows:

sudo openssl pkcs12 -export -out certs/cert.pfx -inkey private/private.key -in certs/cert.crt

Okay, so back to the drawing board it was for this one and still I had nothing. I started looking at WLC debugs and more googling and eventually found a few articles saying that other people were having issues with older versions of Android (11/12) with the internally signed CA certificates and that it just wouldn't connect. Some said they resorted to using globally trusted server certificates but no thanks. Anyway, that got me thinking, I noticed that sometimes on my phone I got an error about trying Trust on first use (TOFU) for the CA certificate, but I kept ignoring it because I was like, no, It should accept my ISE server Certificate as it's signed by a trusted CA that I've added to the phone. Anyway, guess what resolved my issue. I selected TOFU from the CA certificate menu, and it connected after being prompted to trust the certificate which I obviously said yes to. Once that was done, it actually connected. I was then able to go in and change the certificate to my internal CA certificate, and it still connected. Not sure what happens when you select TOFU for the certificate option, but after doing that. It all worked perfectly. 

So let me show you. As you can see with the latest Samsung phone, the EAP configuration is slightly different to older versions. When you connect to an EAP-TLS Wireless network, you will receive a screen like in the first image here which defaults to PEAP. To select EAP-TLS, press on the View more option. You will then see an EAP Method option as in the second image. Change that to TLS and then fill in all of the required information as normal as per the third image. The only exception being that the CA certificate is set to Trust on first use (TOFU). Once done, click connect. 

After pressing Connect, you should have been prompted to trust the radius server certificate, When you see that, press accept. If that worked like it did for me, you're now connected to your EAP-TLS wireless network, you should now be able to forget that network, go back in and change the CA certificate to your Internal Trusted certificate as below. 

I'm not sure what selecting TOFU does, but it resolved my issue. If you've noticed anything missing or have any issues with this post, please leave a comment and let me know.