Android - TTLS + PAP Configuration
Configure Android devices to connect to IronWifi WPA-Enterprise wireless networks using EAP-TTLS with PAP inner authentication. This method is essential for integrating with external identity providers like Microsoft Entra ID (without password hash sync), LDAP directories, and legacy systems that don't support MSCHAPv2.
Overview
EAP-TTLS creates a secure TLS tunnel and uses PAP for inner authentication. This method is useful when integrating with external identity providers that don't support MSCHAPv2.
Prerequisites
- Android 10 or later
- Valid IronWifi user credentials
- Wireless network configured with WPA2-Enterprise
Configuration Steps
Android 10 and Later
- Open Settings > Network & Internet > Wi-Fi
- Tap your enterprise network (or tap Add network)
- Configure the following settings:
- EAP method: TTLS
- Phase 2 authentication: PAP
- CA certificate: Use system certificates (or select specific CA)
- Domain: Your RADIUS server domain (e.g., )
radius.ironwifi.com - Identity: Your username (usually email address)
- Anonymous identity: Leave blank or enter
anonymous - Password: Your password
- Tap Connect
Android 9 and Earlier
- Open Settings > Wi-Fi
- Tap your enterprise network
- Configure:
- EAP method: TTLS
- Phase 2 authentication: PAP
- CA certificate: Do not validate (or select certificate)
- Identity: Your username
- Password: Your password
- Tap Connect
Certificate Configuration
Using System Certificates (Android 10+)
- Select CA certificate: Use system certificates
- Enter Domain: (or your RADIUS hostname)
radius.ironwifi.com
Installing a Custom CA Certificate
If your organization uses a private CA:
- Download the CA certificate to your device
- Open Settings > Security > Encryption & credentials
- Tap Install a certificate > CA certificate
- Select the downloaded certificate file
- When configuring Wi-Fi, select your installed certificate
Identity Privacy
EAP-TTLS supports identity privacy (anonymous outer identity):
- Outer Identity: Sent unencrypted (use )
anonymous@yourdomain.com - Inner Identity: Your actual username, sent encrypted inside the TLS tunnel
To configure:
- Enter your real username in the Identity field
- Enter or
anonymousin the Anonymous identity fieldanonymous@yourdomain.com
MDM Deployment
For enterprise deployment via MDM (Mobile Device Management):
Android Enterprise (Work Profile)
Create a Wi-Fi configuration profile with:
- SSID: Your network name
- Security: WPA2-Enterprise
- EAP type: TTLS
- Phase 2: PAP
- Identity: (variable)
${user.email} - Anonymous identity:
anonymous - Certificate: Deploy CA certificate
Troubleshooting
"Authentication Problem" Error
- Verify your username and password
- Check that your account is active in IronWifi
- Ensure PAP is enabled on the RADIUS server
- Try removing and re-adding the network
Certificate Validation Failed
- Check the CA certificate is correctly installed
- Verify the domain name matches the RADIUS server
- Ensure the certificate hasn't expired
Cannot Connect After Android Update
- Remove the saved network
- Re-enter credentials
- May need to reinstall CA certificate
Use Cases
EAP-TTLS + PAP is particularly useful for:
- Microsoft Entra ID integration without password hash sync
- LDAP authentication with external directories
- Legacy systems that don't support MSCHAPv2
- Third-party identity providers
Related Topics
- Android - EAP-PEAP - PEAP authentication method
- Android - EAP-TLS - Certificate-based authentication
- Windows - TTLS + PAP - Windows TTLS configuration
- Microsoft Entra ID Integration - SSO configuration