Windows - TTLS + PAP Configuration

Configure Windows devices to connect to IronWiFi WPA-Enterprise wireless networks using EAP-TTLS with PAP inner authentication. This method is essential for integrating with external identity providers like Microsoft Entra ID (without password hash sync), LDAP directories, and legacy systems that don't support MSCHAPv2.

Overview

EAP-TTLS creates a secure TLS tunnel and uses PAP for inner authentication. This method is useful when integrating with external identity providers that don't support MSCHAPv2.

Prerequisites

• Windows 10 or 11
• Valid user credentials
• Wireless network configured with WPA2-Enterprise

Configuration Steps

Windows 10/11

1. Open Settings > Network & Internet > WiFi
2. Click Manage known networks
3. Click Add a new network
4. Configure:
   • Network name: Your SSID
   • Security type: WPA2-Enterprise
5. Click Save

Advanced Configuration via Control Panel

1. Open Control Panel > Network and Sharing Center
2. Click Set up a new connection or network
3. Select Manually connect to a wireless network
4. Enter:
   • Network name: Your SSID
   • Security type: WPA2-Enterprise
   • Encryption type: AES
5. Check Start this connection automatically
6. Click Next, then Change connection settings
7. Go to the Security tab
8. Set Authentication method to Microsoft: EAP-TTLS
9. Click Settings:
   • Enable Identity Privacy: Enter

     anonymous

     or leave blank
   • Connect to these servers: (optional) Enter RADIUS server hostname
   • Check Verify the server's identity by validating the certificate
   • Select authentication method: PAP
10. Click OK to save all settings

Identity Privacy

EAP-TTLS supports identity privacy (anonymous outer identity):

• Outer Identity: Sent unencrypted (use

  anonymous@yourdomain.com

  )
• Inner Identity: Your actual username, sent encrypted

To configure:

1. In EAP-TTLS settings, enable Identity Privacy
2. Enter an anonymous identity or leave blank

Troubleshooting

EAP-TTLS Option Not Available

1. Ensure you're running Windows 10 or later
2. Update wireless adapter drivers
3. Check for Windows updates

Authentication Fails

1. Verify credentials are correct
2. Ensure PAP is enabled on the RADIUS server
3. Check IronWiFi console for authentication logs

Certificate Validation Issues

1. Install the RADIUS server's CA certificate
2. Add it to the Trusted Root Certification Authorities store
3. Select the CA in EAP-TTLS settings

Use Cases

EAP-TTLS + PAP is particularly useful for:

• Microsoft Entra ID integration without password hash sync
• LDAP authentication with external directories
• Legacy systems that don't support MSCHAPv2
• Third-party identity providers

Related Topics

Same protocol on other devices

• Android — TTLS + PAP
• Chromebook — TTLS + PAP
• Linux — TTLS + PAP
• macOS & iOS — TTLS + PAP

Other protocols on Windows

• Windows — EAP-PEAP — password-based auth
• Windows — EAP-TLS — certificate-based auth

Foundational reading

• WPA3-Enterprise overview
• Troubleshooting Guide