Android - EAP-TLS Configuration
Configure Android devices for secure, certificate-based authentication to IronWiFi WPA-Enterprise wireless networks using EAP-TLS. This passwordless authentication method provides the highest level of WiFi security through mutual certificate verification.
Overview
EAP-TLS is one of the most secure WiFi authentication methods available. It uses client and server certificates for mutual authentication, eliminating the need for passwords. Android devices support EAP-TLS natively.
Prerequisites
- Android 11 or later (Android 10 has limited enterprise WiFi features)
- Client certificate installed on the device
- Wireless network configured with WPA2-Enterprise
- CA certificate for the RADIUS server
Certificate Installation
Option 1: MDM Deployment (Recommended)
For enterprise environments, deploy certificates via MDM:
- Configure SCEP in IronWiFi console
- Create certificate profile in your MDM
- Deploy to managed devices
Option 2: Manual Installation
- Transfer the certificate file (or
.p12) to your device.pfx - Open Settings > Security > Encryption & credentials
- Tap Install a certificate > VPN & app user certificate
- Select your certificate file
- Enter the certificate password
- Name the certificate (e.g., "IronWiFi")
Installing CA Certificate
- Download the CA certificate
- Open Settings > Security > Encryption & credentials
- Tap Install a certificate > CA certificate
- Select the certificate file
- Confirm installation
Configuration Steps
Android 10 and Later
- Open Settings > Network & Internet > WiFi
- Tap your enterprise network (or Add network)
- Configure:
- EAP method: TLS
- CA certificate: Select your installed CA certificate
- User certificate: Select your client certificate
- Domain: Your RADIUS server domain
- Identity: Your username (from certificate subject)
- Tap Connect
Android 9 and Earlier
- Open Settings > WiFi
- Tap the enterprise network
- Configure:
- EAP method: TLS
- CA certificate: Select certificate
- User certificate: Select your certificate
- Identity: Your username
- Tap Connect
Certificate Requirements
Client Certificate
For EAP-TLS authentication, the client certificate must have:
- Extended Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2)
- Subject or SAN: Must contain user identifier matching IronWiFi username
- Key Type: RSA 2048-bit or higher (recommended)
- Validity: Not expired
Format Support
Android supports these certificate formats:
- /
.p12- PKCS#12 (recommended).pfx - - PEM encoded
.pem - /
.crt- DER or PEM encoded.cer
MDM Configuration
Android Enterprise
Google Workspace / Intune
- Create a WiFi configuration profile
- Select EAP-TLS as the authentication type
- Reference the deployed certificates
- Assign to device groups
Troubleshooting
Certificate Not Appearing in List
- Verify the certificate was installed correctly
- Check it's installed as "VPN & app user certificate"
- Ensure the certificate hasn't expired
- Try reinstalling the certificate
Authentication Fails
- Check the certificate subject matches your IronWiFi username
- Verify the certificate hasn't expired
- Ensure the issuing CA is trusted by IronWiFi
- Check authentication logs in IronWiFi console
"No User Certificate Available"
- The certificate may be corrupted
- Re-export from the original source with the private key
- Verify the file includes the private key
.p12
Server Certificate Validation Error
- Install the RADIUS server's CA certificate
- Ensure the domain name is correctly configured
- Check the server certificate hasn't expired
Security Considerations
Private Key Protection
- Android stores private keys in the system keystore
- Keys are protected by device encryption
- Screen lock is recommended for certificate protection
Certificate Lifecycle
Monitor certificate expiration:
- Set calendar reminders for renewal
- Use MDM to automate certificate renewal via SCEP
- Plan for certificate revocation procedures
Related Topics
Same protocol on other devices
Other protocols on Android
- Android — EAP-PEAP — password-based auth
- Android — TTLS + PAP — legacy RADIUS
Foundational reading
Was this page helpful?