Quick Start: WPA2/WPA3-Enterprise

Deploy secure enterprise WiFi with 802.1X authentication using IronWiFi as your cloud RADIUS server. This guide gets you from zero to a working WPA2-Enterprise or WPA3-Enterprise network in under 30 minutes.

What You'll Build

802.1X authentication flow:

1. User connects to the SSID and enters credentials (or presents a certificate)
2. The access point forwards the credentials to IronWiFi's RADIUS server
3. IronWiFi verifies the credentials and returns Accept or Reject
4. On Accept, the access point grants network access (optionally assigning a VLAN)

Prerequisites

• An IronWiFi account (register here)
• Access points or a wireless controller that supports WPA2-Enterprise (802.1X)
• Administrative access to your network equipment
• Client devices (Windows, macOS, iOS, Android, ChromeOS)

Step 1: Create a Network (~2 min)

1. Log in to the IronWiFi Console
2. Navigate to Networks
3. Click Create Network
4. Select a Region closest to your access points
5. Click Save

After creation, note these values -- you will need them for your access point configuration:

Setting	Where to Find
Primary RADIUS IP	Networks page
Backup RADIUS IP	Networks page
Authentication Port	Networks page
Accounting Port	Networks page
Shared Secret	Networks page

tip

Copy the shared secret immediately. You will enter it on your access points exactly as shown -- character for character.

Step 2: Create User Groups (~3 min)

Groups define the policies applied after successful authentication (bandwidth limits, VLAN assignment, session timeouts).

Employee group

1. Navigate to Users > Groups
2. Click Add Group
3. Name:

   Employees

4. Add reply attributes:

5. Click Save

VLAN assignment (optional)

To assign authenticated users to a specific VLAN, add these reply attributes to the group:

See Attributes for the full list of available RADIUS attributes.

Step 3: Add Users (~3 min)

Option A: Create users manually

1. Navigate to Users
2. Click Add User
3. Enter:
   • Username -- e.g.,

     john.doe

     or

     john@company.com

   • Email -- User's email address
   • Password -- Set a secure password
4. Assign the user to the Employees group
5. Click Save

Option B: Sync from an identity provider

For larger deployments, sync users automatically from your existing directory:

• Microsoft Entra ID / Okta / OneLogin -- Use SCIM provisioning for real-time sync
• Active Directory / LDAP -- Use a Connector
• Google Workspace -- Use a Connector

note

With identity provider sync, users authenticate with their existing directory credentials. No separate passwords need to be managed in IronWiFi.

Step 4: Configure Your Access Points (~5 min)

Configure your access points or wireless controller to use IronWiFi for 802.1X authentication.

General settings

On your access point, create or edit the SSID for enterprise WiFi:

Setting	Value
SSID Name	Your desired network name (e.g., CorpWiFi )
Security	WPA2-Enterprise (or WPA3-Enterprise)
RADIUS Server IP	Primary RADIUS IP from IronWiFi
RADIUS Port	Authentication port from IronWiFi
RADIUS Secret	Shared secret from IronWiFi
Accounting Server	Same IP, accounting port, same secret

Add the backup RADIUS server

Configure the backup RADIUS server as a secondary/fallback:

Setting	Value
Backup RADIUS IP	Backup IP from IronWiFi
Backup Port	Same authentication port
Backup Secret	Same shared secret

Vendor-specific guides

For step-by-step instructions specific to your hardware:

• Cisco Meraki -- Dashboard > Wireless > Access Control
• Ubiquiti UniFi -- Settings > WiFi > Security
• Aruba / HPE -- Configuration > SSID > Security
• MikroTik -- Wireless > Security Profiles
• Ruckus -- WLAN > Security

See the complete list of Configuration Guides for your specific vendor.

Step 5: Configure Client Devices (~5 min)

Windows

1. Connect to the new SSID
2. Windows prompts for credentials
3. Enter the username and password from IronWiFi
4. If prompted about the server certificate, accept it

For managed deployments, push WiFi profiles via Group Policy or Intune. See the Windows client configuration guide for details.

macOS and iOS

1. Connect to the SSID
2. Enter username and password when prompted
3. Accept the certificate trust prompt

For managed devices, deploy WiFi profiles via MDM. See the macOS/iOS client configuration guide.

Android

1. Connect to the SSID
2. Configure:
   • EAP method: PEAP
   • Phase 2 authentication: MSCHAPv2
   • Identity: Your IronWiFi username
   • Password: Your IronWiFi password
3. For CA certificate, select "Do not validate" or install the IronWiFi CA certificate

warning

On Android, disable Randomized MAC (Privacy > Use Device MAC) for the enterprise SSID. Randomized MACs can cause authentication issues with RADIUS.

ChromeOS

1. Connect to the SSID
2. Configure:
   • EAP method: PEAP
   • EAP Phase 2 authentication: MSCHAPv2
   • Server CA certificate: Default or install CA cert
   • Identity: Your IronWiFi username
   • Password: Your IronWiFi password

See the ChromeOS configuration guide for managed Chromebook deployment.

Step 6: Test and Verify (~5 min)

Test authentication

1. Connect a test device to the enterprise SSID
2. Enter valid credentials
3. Verify the device connects and receives an IP address
4. Open a browser and confirm internet access

Verify in the IronWiFi Console

1. Navigate to Reports > Authentication
2. Confirm you see an

   Access-Accept

   for your test user
3. Navigate to Reports > Sessions
4. Confirm an active session appears

Test failure cases

1. Enter an incorrect password -- Should be rejected
2. Disable the test user in the Console -- Should be rejected on next connection attempt
3. Block the primary RADIUS IP in your firewall -- Verify failover to the backup server

Choosing Between WPA2-Enterprise and WPA3-Enterprise

Feature	WPA2-Enterprise	WPA3-Enterprise
Encryption	AES-128 (CCMP)	AES-256 (GCMP-256)
Key exchange	4-way handshake	SAE (Simultaneous Authentication of Equals)
Forward secrecy	No	Yes
Client support	All modern devices	Newer devices (2020+)
Recommendation	Broad compatibility	Maximum security

tip

If you need to support older devices, use WPA2-Enterprise. For environments where all devices support WPA3, use WPA3-Enterprise for stronger security. Many access points support a transitional mode (WPA2/WPA3 mixed) that accommodates both. See the WPA3-Enterprise guide for details.

Authentication Methods

IronWiFi supports multiple 802.1X authentication methods:

Method	Use Case	Client Needs
PEAP-MSCHAPv2	Username/password authentication	Built-in on all major OSes
EAP-TLS	Certificate-based authentication	Client certificate installed
EAP-TTLS/PAP	Legacy or special-purpose auth	Supplicant configuration

PEAP-MSCHAPv2 is the most common choice for enterprise deployments because it works on all platforms without installing client certificates.

EAP-TLS provides the highest security by using client certificates instead of passwords, eliminating the risk of credential theft. See the EAP-TLS guides for Windows, macOS/iOS, and ChromeOS.

Next Steps

Once your enterprise WiFi is running:

• Scale user management -- Sync users via SCIM or Connectors
• Fine-tune access policies -- Groups for department-specific bandwidth, VLANs, and timeouts
• Monitor your deployment -- Set up monitoring and alerts
• Deploy certificates -- EAP-TLS for password-free authentication
• Enable seamless roaming -- Passpoint or OpenRoaming for cross-network roaming
• Segment your network -- Network Segmentation for VLAN-based isolation

Troubleshooting

Problem	Solution
"Authentication failed"	Verify username and password in the IronWiFi Console. Check Reports > Authentication for the reject reason.
No RADIUS response	Confirm RADIUS IP, port, and shared secret match exactly. Check firewall allows outbound UDP to IronWiFi.
Certificate trust error	Accept the certificate prompt, or deploy the IronWiFi CA certificate via MDM.
VLAN not assigned	Verify Tunnel-Type , Tunnel-Medium-Type , and Tunnel-Private-Group-ID attributes are set on the group.
Intermittent disconnections	Check signal strength, enable RADIUS caching on the AP, and verify both primary and backup servers are configured.

For detailed troubleshooting, see the Troubleshooting Guide.

Related Topics

• Quick Start Guide -- General IronWiFi setup overview
• Quick Start: Guest WiFi -- Captive portal deployment
• Configuration Guides -- Vendor-specific AP setup
• Client Configuration -- Device-specific 802.1X setup
• WPA3-Enterprise -- WPA3-Enterprise details
• Deployment Planning -- Architecture and capacity planning