Client Configuration Guides
Learn how to configure Windows, macOS, iOS, Android, and Chromebook devices to connect securely to IronWiFi WPA-Enterprise wireless networks. These guides cover manual configuration and MDM deployment for all major EAP authentication methods.
Authentication Methods
EAP-PEAP (Protected EAP)
PEAP is a widely supported authentication method that uses a username and password protected by a TLS tunnel.
EAP-TLS (Certificate-based)
EAP-TLS is one of the most secure WiFi authentication methods, using client and server certificates for mutual authentication without requiring username/password.
EAP-TTLS + PAP
EAP-TTLS with PAP provides a secure tunnel for password-based authentication. Useful when integrating with external identity providers.
- Windows - TTLS + PAP
- macOS & iOS - TTLS + PAP
- Android - TTLS + PAP
- Chromebook - TTLS + PAP
- Linux - TTLS + PAP
Choosing the Right Method
| Method | Security | Certificates Required | Best For |
|---|---|---|---|
| EAP-TLS | Highest | Client + Server | Enterprise with PKI |
| EAP-PEAP | High | Server only | Username/password auth |
| EAP-TTLS | High | Server only | External identity providers |
Prerequisites
Before configuring client devices:
- Network configured - Ensure your wireless network is set up with IronWiFi RADIUS authentication
- User accounts - Users must exist in the IronWiFi console or be synced from an identity provider
- Certificates (for EAP-TLS) - Client certificates must be provisioned via SCEP or manual installation
MDM Deployment
For enterprise deployments, use Mobile Device Management (MDM) to push WiFi profiles automatically:
- Windows - Deploy via Microsoft Intune, SCCM, or Group Policy
- macOS/iOS - Use Apple Business Manager with Jamf Pro or Kandji
- Android - Deploy through Android Enterprise with Google Workspace or VMware Workspace ONE
- Chromebook - Configure via Google Admin Console for Chrome Enterprise
MDM deployment eliminates manual configuration and ensures consistent security settings across all managed devices.
Troubleshooting Tips
If devices fail to connect:
- Verify RADIUS server reachability - Check that UDP customer authentication and accounting ports are open between your access points and IronWiFi
- Check user credentials - Confirm the username and password are correct in the IronWiFi console
- Validate certificates - For EAP-TLS, ensure client certificates are not expired and match the trusted CA
- Review authentication logs - Check the IronWiFi console for detailed error messages
Frequently Asked Questions
Q: Which EAP method should I use for my deployment?
Use EAP-PEAP for most deployments — it works on all platforms using username and password authentication. Choose EAP-TLS for highest security with certificate-based authentication (requires MDM or manual certificate deployment). Use EAP-TTLS + PAP when integrating with identity providers that require plaintext password verification.
Q: Do users need to install software to connect?
No. All supported platforms (Windows, macOS, iOS, Android, Chromebook, Linux) have built-in support for WPA-Enterprise and EAP authentication. Users configure the WiFi profile manually in their device settings or receive it automatically through MDM deployment.
Q: How do I deploy WiFi profiles to managed devices automatically?
Use your Mobile Device Management (MDM) solution to push WiFi profiles. Microsoft Intune or Group Policy works for Windows, Jamf Pro or Kandji for macOS/iOS, Android Enterprise for Android, and Google Admin Console for Chromebooks. MDM deployment eliminates manual configuration errors and ensures consistent security settings.
Q: Why does my device show a certificate warning when connecting?
Your device may not trust the RADIUS server's certificate. For EAP-PEAP and EAP-TTLS, configure the device to trust the IronWiFi CA certificate. For EAP-TLS, ensure the client certificate is not expired and the issuing CA matches the trusted CA configured on the RADIUS server. MDM deployment can pre-install trusted certificates to avoid warnings.
Related Topics
- Passpoint (Hotspot 2.0) -- automatic WiFi connection without manual device configuration
- Identity Provider Connectors -- sync user accounts from Google Workspace, Entra ID, and LDAP
- Troubleshooting Guide -- resolve 802.1X, certificate, and mobile device connection issues
- Network Configuration -- RADIUS server settings that client devices authenticate against
- Certificate Management via SCEP -- automate EAP-TLS certificate provisioning
Was this page helpful?