macOS & iOS - EAP-TLS Configuration

Configure Apple devices for the most secure WiFi authentication method available - certificate-based EAP-TLS with IronWifi WPA-Enterprise networks. This passwordless authentication uses client and server certificates for mutual verification, ideal for enterprise environments with PKI infrastructure.

Overview

EAP-TLS is the most secure Wi-Fi authentication method available. It uses client and server certificates for mutual authentication, eliminating the need for passwords. Apple devices have excellent native support for EAP-TLS.

Prerequisites

• macOS 10.15+ or iOS 14+
• Client certificate installed on the device
• Wireless network configured with WPA2-Enterprise
• IronWifi SCEP connector (for automatic certificate provisioning)

Certificate Installation

Option 1: SCEP with Jamf Pro

For managed devices, use Jamf Pro to automatically provision certificates:

1. Configure SCEP with Jamf Pro in IronWifi
2. Create a SCEP payload in Jamf Pro
3. Deploy the configuration profile to devices
4. Certificates will be automatically installed

Option 2: Apple Configurator / MDM Profile

1. Create a configuration profile with:
   • Certificate payload: Include client certificate (

     .p12

     )
   • Wi-Fi payload: Configure EAP-TLS with the certificate
2. Install the profile on the device

Option 3: Manual Installation (macOS)

1. Obtain your client certificate (

   .p12

   file)
2. Double-click the certificate file
3. Keychain Access will open - select login keychain
4. Enter the certificate password
5. Click OK

Option 4: Manual Installation (iOS)

1. Email or download the certificate (

   .p12

   file) to the device
2. Tap the certificate file
3. Go to Settings > General > VPN & Device Management
4. Tap the downloaded profile
5. Enter the certificate password
6. Tap Install

Configuration Steps

macOS

1. Click the Wi-Fi icon in the menu bar
2. Select your enterprise network
3. In the authentication dialog:
   • Mode: EAP-TLS
   • Identity: Select your client certificate
4. If prompted, select Trust for the RADIUS server certificate
5. Click Join

iOS

1. Open Settings > Wi-Fi
2. Tap your enterprise network
3. The device will automatically detect EAP-TLS if a matching certificate is installed
4. Select your client certificate when prompted
5. Tap Trust for the RADIUS server certificate
6. Tap Join

MDM Deployment

Jamf Pro

Create a Wi-Fi configuration profile:

1. In Jamf Pro, go to Configuration Profiles
2. Add a Wi-Fi payload:
   • SSID: Your network name
   • Security Type: WPA2 Enterprise
   • Protocols: TLS
   • Identity Certificate: Select SCEP or uploaded certificate
   • Trust: Add trusted CA certificates
3. Scope to target devices
4. Deploy

Apple Business Manager

For zero-touch deployment:

1. Assign devices to your MDM
2. Deploy Wi-Fi and certificate profiles automatically
3. Devices connect to the enterprise network on first setup

Certificate Requirements

Client Certificate

• Enhanced Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2)
• Subject or SAN must contain user identifier
• Private key must be available
• Must be in

  .p12

  or

  .pfx

  format for manual installation

Server Certificate (IronWifi RADIUS)

• Enhanced Key Usage: Server Authentication
• Must be signed by a trusted CA
• Subject must match server identity

Troubleshooting

Certificate Not Recognized

1. Open Keychain Access (macOS) and verify the certificate is in the login keychain
2. Check the certificate has a private key (expand the certificate entry)
3. Verify the certificate hasn't expired

Authentication Fails

1. Verify the certificate subject matches your IronWifi username
2. Ensure the issuing CA is trusted by IronWifi
3. Check IronWifi console for authentication logs

Trust Dialog Keeps Appearing

1. Install the RADIUS server's CA certificate on the device
2. On macOS: Add to System keychain and set to Always Trust
3. On iOS: Go to Settings > General > About > Certificate Trust Settings and enable trust

Profile Installation Fails (iOS)

1. Ensure the device is not in supervised mode blocking profiles
2. Check for MDM restrictions
3. Verify the certificate password is correct

Related Topics

• macOS & iOS - EAP-PEAP - Password-based authentication
• macOS & iOS - TTLS + PAP - TTLS authentication
• SCEP & PKI - Automatic certificate provisioning
• Jamf Pro Integration - MDM deployment