How to Connect to Wi-Fi Using EAP-TLS on a Chromebook
EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) is a highly secure enterprise Wi-Fi authentication method that uses certificates instead of passwords. Chromebooks support EAP-TLS natively and can be configured manually or via enterprise policies.
Requirements
- A client certificate in
.p12or.pfxformat - CA certificate (
.crt,.pem, or.cer) - Wi-Fi SSID and server domain
- Chromebook running ChromeOS
Step-by-Step Setup
1. Import Certificates
- Open Chrome and navigate to
chrome://settings/certificates. - Under the Your certificates tab, import the
.p12certificate. You will be prompted for the password. - Under the Authorities tab, import the CA certificate and mark it as trusted for Wi-Fi authentication.
2. Connect to the Wi-Fi Network
- Click on the clock (bottom right), then the Wi-Fi icon.
- Click the target SSID or “Join other network”.
- Fill out the following fields:
- Security:
WPA2-Enterprise - EAP Method:
EAP-TLS - Server CA Certificate: Select the CA you installed earlier
- Domain: (Recommended),
radius.ironwifi.com - User Certificate: Select your imported certificate
- Identity: Often your username or email address
- Anonymous Identity: Leave blank
Click Connect to establish a secure Wi-Fi connection.
Enterprise Deployment
For managed Chromebooks, you can use a Google Workspace policy with an ONC file or Google Admin console to preconfigure:
- Network SSID
- EAP method
- Client & CA certificates
- Certificate provisioning via PKCS#11, TPM, or Zero-Touch Enrollment
Troubleshooting
- If the client certificate is not listed, ensure it was imported correctly under “Your certificates.”
- Check that the RADIUS server uses a valid certificate signed by your CA.
- Verify the domain name matches the SAN of the RADIUS certificate (especially on ChromeOS 89+).
Security Note
EAP-TLS offers mutual certificate authentication and eliminates password-based attacks. Always use a trusted CA and protect your private key file.