Windows - EAP-TLS Configuration

Configure Windows devices for the most secure WiFi authentication method available - certificate-based EAP-TLS with IronWiFi WPA-Enterprise networks. This passwordless authentication uses client and server certificates for mutual verification, ideal for enterprise environments with PKI infrastructure.

Overview

EAP-TLS is the most secure WiFi authentication method available. It uses client and server certificates for mutual authentication, eliminating the need for passwords. This method is ideal for enterprise environments with Public Key Infrastructure (PKI).

Prerequisites

• Windows 10 or 11
• Client certificate installed on the device
• Wireless network configured with WPA2-Enterprise
• IronWiFi SCEP connector (for automatic certificate provisioning)

Certificate Installation

Option 1: SCEP with Microsoft Intune

For managed devices, use Microsoft Intune to automatically provision certificates:

1. Configure SCEP with Intune in IronWiFi
2. Deploy the certificate profile to devices via Intune
3. Certificates will be automatically installed

Option 2: Manual Installation

1. Obtain your client certificate (

   .pfx

   or

   .p12

   file)
2. Double-click the certificate file
3. Select Current User or Local Machine
4. Click Next and enter the certificate password
5. Select Automatically select the certificate store
6. Click Finish

Configuration Steps

Windows 10/11

1. Open Settings > Network & Internet > WiFi
2. Click Manage known networks > Add a new network
3. Configure:
   • Network name: Your SSID
   • Security type: WPA2-Enterprise
4. Click Save
5. Click on the network and select Properties
6. Under EAP method, select Microsoft: Smart Card or other certificate

Detailed Configuration

1. Open Control Panel > Network and Sharing Center
2. Click Set up a new connection or network
3. Select Manually connect to a wireless network
4. Enter network details:
   • Network name: Your SSID
   • Security type: WPA2-Enterprise
   • Encryption type: AES
5. Click Next, then Change connection settings
6. Go to Security tab:
   • Authentication method: Microsoft: Smart Card or other certificate
7. Click Settings:
   • Check Use a certificate on this computer
   • Check Use simple certificate selection
   • Check Verify the server's identity by validating the certificate
   • Select appropriate Trusted Root Certification Authorities
8. Click OK to save

Group Policy Deployment

Deploy EAP-TLS configuration enterprise-wide:

Configure:

• Authentication: WPA2-Enterprise
• EAP type: Microsoft: Smart Card or other certificate
• Enable Use a certificate on this computer

Certificate Requirements

For EAP-TLS to work properly, certificates must meet these requirements:

Client Certificate

• Enhanced Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2)
• Subject or SAN must contain user identifier
• Private key must be available

Server Certificate (IronWiFi RADIUS)

• Enhanced Key Usage: Server Authentication
• Must be signed by a trusted CA
• Subject must match server identity

Troubleshooting

Certificate Not Found

1. Open

   certmgr.msc

   (Certificate Manager)
2. Navigate to Personal > Certificates
3. Verify your certificate is listed
4. Check the certificate has a private key (key icon)

Authentication Fails

1. Verify the certificate hasn't expired
2. Check the certificate subject matches your IronWiFi username
3. Ensure the issuing CA is trusted by IronWiFi

Server Certificate Validation Error

1. Install the RADIUS server's CA certificate
2. Add the CA to the trusted root store
3. Select the CA in the EAP-TLS settings

Related Topics

Same protocol on other devices

• Android — EAP-TLS
• Chromebook — EAP-TLS
• Linux — EAP-TLS
• macOS & iOS — EAP-TLS

Other protocols on Windows

• Windows — EAP-PEAP — password-based auth
• Windows — TTLS + PAP — legacy RADIUS

Foundational reading

• WPA3-Enterprise overview
• Troubleshooting Guide