Chromebook - TTLS + PAP Configuration
Configure Chromebook devices to connect to IronWifi WPA-Enterprise wireless networks using EAP-TTLS with PAP inner authentication. This method is essential for integrating with external identity providers like Microsoft Entra ID (without password hash sync), LDAP directories, and legacy systems that don't support MSCHAPv2.
Overview
EAP-TTLS creates a secure TLS tunnel and uses PAP for inner authentication. This method is useful when integrating with external identity providers that don't support MSCHAPv2.
Prerequisites
- ChromeOS device
- Valid IronWifi user credentials
- Wireless network configured with WPA2-Enterprise
Configuration Steps
Manual Configuration
- Click the network icon in the system tray (bottom-right corner)
- Click Settings (gear icon)
- Select Network > Wi-Fi
- Click Add connection (or select the enterprise network)
- Configure the following:
- SSID: Your network name
- Security: WPA/WPA2 Enterprise (802.1X)
- EAP method: EAP-TTLS
- Phase 2 authentication: PAP
- Server CA certificate: Default or select installed certificate
- Identity: Your username (usually email address)
- Password: Your password
- Anonymous identity: (optional, for privacy)
anonymous
- Click Connect
Certificate Configuration
Using Default Certificates
ChromeOS includes a set of trusted CA certificates. If IronWifi uses a publicly trusted CA:
- Select Server CA certificate: Default
- No additional certificate installation needed
Installing a Custom CA Certificate
If your organization uses a private CA:
- Download the CA certificate file (or
.pem).crt - Open Settings > Security and Privacy
- Select Certificates > Authorities
- Click Import and select the CA certificate file
- Check Trust this certificate for identifying websites
- Click OK
- When configuring Wi-Fi, select your imported certificate
Google Admin Console Deployment
For managed Chromebooks, deploy the configuration via Google Admin Console:
- Sign in to Google Admin Console (admin.google.com)
- Navigate to Devices > Networks > Wi-Fi
- Click Add Wi-Fi
- Configure:
- Name: Your network name
- SSID: Your SSID
- Security type: WPA/WPA2 Enterprise (802.1X)
- Extensible authentication protocol: EAP-TTLS
- Inner protocol: PAP
- Outer identity:
anonymous
- Under Server certificate authority, upload your CA certificate
- Under User credentials, configure as needed
- Click Save
Identity Privacy
EAP-TTLS supports identity privacy (anonymous outer identity):
- Outer Identity: Sent unencrypted (use )
anonymous@yourdomain.com - Inner Identity: Your actual username, sent encrypted inside the TLS tunnel
Troubleshooting
Cannot Connect to Network
- Verify your username and password
- Check that your account is active in IronWifi
- Remove the saved network and re-add it
- Ensure PAP is enabled on the RADIUS server
Certificate Errors
- Verify the CA certificate is correctly imported
- Check the certificate hasn't expired
- Try setting Server CA certificate to Do not check
Network Disappears After Restart
- Re-enter network settings
- For managed devices, verify Google Admin Console policy is applied
- Check that ChromeOS is up to date
Use Cases
EAP-TTLS + PAP is particularly useful for:
- Microsoft Entra ID integration without password hash sync
- LDAP authentication with external directories
- Legacy systems that don't support MSCHAPv2
- Google Workspace environments with third-party RADIUS
Related Topics
- Chromebook - EAP-PEAP - PEAP authentication method
- Chromebook - EAP-TLS - Certificate-based authentication
- Windows - TTLS + PAP - Windows TTLS configuration
- Google Admin MDM - Managed deployment