Mac OS & iOS - TTLS + PAP Configuration
Configure Mac and iOS devices to connect to IronWiFi WPA-Enterprise wireless networks using EAP-TTLS with PAP inner authentication. This method is ideal for integrating with external identity providers like Microsoft Entra ID, LDAP directories, and systems that don't support MSCHAPv2.
Overview
EAP-TTLS (Tunneled Transport Layer Security) with PAP provides a secure authentication method that's particularly useful for:
- Integration with external identity providers
- Microsoft Entra ID authentication without password hash sync
- LDAP directory authentication
- Systems that don't support MSCHAPv2
Prerequisites
- iOS 15+ or macOS 12+
- Valid user credentials
- Wireless network configured with WPA2-Enterprise
iOS Configuration
Manual Setup
iOS requires a configuration profile for EAP-TTLS - it cannot be configured manually through the Settings app.
Configuration Profile Method
- Create a profile (see template below)
.mobileconfig - Email the profile to the device, or
- Host on a web server and download via Safari
- Install the profile in Settings > General > VPN & Device Management
Profile Template
macOS Configuration
Using System Settings
- Click the WiFi icon in the menu bar
- Select WiFi Settings
- Click Advanced (or select your network and click Details)
- Click the + button to add a network
- Enter the SSID and select WPA2-Enterprise
- Click OK
- Connect to the network
- In the authentication dialog:
- Mode: TTLS
- Inner Authentication: PAP
- Username: Your username
- Password: Your password
Terminal Configuration (Advanced)
MDM Deployment
Microsoft Intune
- Create a Device configuration profile
- Platform: iOS/iPadOS or macOS
- Profile type: WiFi
- Configure:
- WiFi type: Enterprise
- EAP type: EAP-TTLS
- Inner authentication method: PAP
- Non-EAP method for authentication: Unencrypted password (PAP)
- Deploy to device groups
Jamf Pro
- Create a Configuration Profile
- Add Network payload
- Configure:
- Security Type: WPA2-Enterprise
- Protocols: TTLS
- Inner Authentication: PAP
- Outer Identity: anonymous (optional)
- Scope to appropriate devices
Apple Configurator 2
- File > New Profile
- Add WiFi payload
- Security Type: WPA2-Enterprise
- Protocols: Check TTLS
- Inner Authentication: PAP
- Export and deploy
Identity Privacy
EAP-TTLS supports anonymous outer identity:
- Outer Identity: Sent unencrypted - use
anonymous@domain.com - Inner Identity: Your real username, protected by TLS tunnel
Configure in profile:
Troubleshooting
Profile Won't Install
- Check the profile isn't corrupted
- Verify XML syntax is valid
- Ensure UUIDs are unique
- Check device isn't supervised with restrictions
Authentication Fails
- Verify PAP is enabled on IronWiFi
- Check username format matches IronWiFi configuration
- Review authentication logs in IronWiFi console
Cannot Select TTLS in Settings
iOS doesn't allow manual TTLS configuration - you must use a profile.
Certificate Trust Required
If server certificate validation is enabled:
- Include the CA certificate in the profile
- Or install CA certificate separately
- Trust the certificate in Settings
Use Cases
Microsoft Entra ID Integration
TTLS + PAP works well with Microsoft Entra ID when:
- Password hash sync isn't available
- Using passthrough authentication
- Federated authentication is configured
External Identity Providers
Suitable for:
- Okta
- Google Workspace
- Custom LDAP directories
- SAML-based authentication
Related Topics
Same protocol on other devices
Other protocols on macOS & iOS
- macOS & iOS — EAP-PEAP — password-based auth
- macOS & iOS — EAP-TLS — certificate-based auth
Foundational reading
Was this page helpful?