How to Connect to Wi-Fi Using EAP-TLS on Android

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) is one of the most secure Wi-Fi authentication methods. It uses client and server certificates for mutual authentication, and does not require a username/password.

Requirements

• Client certificate (in .p12 or .pfx format, usually password-protected)
• CA certificate (for verifying the RADIUS server)
• SSID of the Wi-Fi network
• Android device (version 10 or later is preferred)

Installation Steps

1. Install the Certificates

1. Transfer the .p12 (or .pfx) and CA certificate file (.crt or .cer) to your Android device.
2. Tap the certificate files to install them. You may be prompted to enter the import password (for the .p12 file) and give it a name.
3. Make sure you install the client certificate as Wi-Fi credential.

2. Configure the Wi-Fi Network

1. Go to Settings > Network & Internet > Wi-Fi.
2. Select or add your target SSID.
3. Configure the following options:

Wi-Fi Configuration for EAP-TLS

• EAP method: TLS
• Phase 2 authentication: None
• CA certificate: Use system certificates or manually select CA
• Domain: radius.ironwifi.com
• User certificate: select the imported client cert
• Identity: usually your username or email
• Anonymous identity: leave blank

Then tap Connect.

Troubleshooting Tips

• If no certificate shows up, make sure you installed it as a Wi-Fi credential.
• Ensure the RADIUS server is configured to trust the same CA that signed your client cert.
• Android 11+ requires domain matching; the RADIUS cert must include the domain in its SAN.

Security Note

EAP-TLS is considered the gold standard for wireless authentication due to its use of certificates and lack of passwords. Ensure certificates are securely distributed and revoked if compromised.