Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure Client Device for EAP-TTLS Authentication

To secure your network through EAP-TTLS authentication, follow these configuration steps on the client device.

Juniper Mist Access Assurance supports EAP-TTLS authentication only with PAP as the inner method. By default, most client devices such as Apple iOS/macOS and Windows attempt to use PEAP-MSCHAPv2 or EAP-TTLS/MSCHAPv2 when a user enters credentials at the SSID login prompt. These methods rely on password hashing (such as MSCHAPv2) and are not supported with modern cloud-based Identity Providers (IdPs). To enable successful onboarding, client devices must be explicitly configured to use EAP-TTLS with PAP. In production deployments, this configuration is typically enforced through Mobile Device Management (MDM) solutions. For validation or lab testing, however, the method can also be manually configured on the device by following the steps below

Prerequisites

  1. Download the Juniper Mist Org CA certificate:

    Client devices must trust the Mist Access Assurance server. The Mist Org CA certificate must be included in the wireless profile you configure.

    1. On the Juniper Mist portal, go to Organization > Access > Certificates.. In the Certificate Authorities page, click View Mist Certificate to display the certificate details.
      Figure 1: Download Juniper Mist CA Certificate Download Juniper Mist CA Certificate

    2. Click Download Certificate to download the certificate on your client device.

      Note: If you are using a custom server certificate, use the Root CA of the server certificate instead of the Mist Org CA.
  2. Configure the Identity Provider (IdP): In Juniper Mist dashboard, navigate to Organization > Access > Identity Providers > Add IDP and configure the required IdP details. For details, see Add Identity Providers for Juniper Mist Access Assurance.
    Figure 2: Configure the Identity Provider Configure the Identity Provider
  3. Create an Auth Policy Rule: Under Organization> Access> Auth Policies, define an appropriate Auth Policy Rule that allows EAP-TTLS client devices to connect to the network. For details, see Configure Authentication Policy.
    Figure 3: Create an Auth Policy Create an Auth Policy

Configure Apple Device for EAP-TTLS Authentication

We've described the configuration using Apple macOS device.

For this task, create an EAP-TTLS network profile using a free Apple Configurator tool.

Create a profile on your Apple client device:

  1. On your macOS client, open your Apple Configurator tool, and click File > New Profile
    Figure 4: Wi-Fi Profile Configuration for Apple Client Wi-Fi Profile Configuration for Apple Client

    A new configuration profile document opens.

  2. On the left-navigation bar of the Apple Configurator page, click Certificates > Configure. Select and upload your Mist Certificate you downloaded (as mentioned in Prerequisites). For the client devices to trust the Juniper Mist Access Assurance Server, you must include it in the wireless profile.
    Figure 5: Upload Juniper Mist CA Certificate in Wi-Fi Profile Configuration Upload Juniper Mist CA Certificate in Wi-Fi Profile Configuration
  3. From the left-navigation bar of the Apple Configurator tool, select Wi-Fi and click Configure.
    Figure 6: Wi-Fi Profile Configuration Wi-Fi Profile Configuration

    Enter the following options for the Wi-Fi settings:

    • SSID—Your network's SSID. Ensure that you enter the correct SSID including capital letters.
    • Security TypeWPA2/WPA 3 Enterprise
    • Accepted EAP TypesTTLS and select Per-connection Password.
    • Inner AuthenticationPAP
    Figure 7: Wi-Fi Profile Configuration Settings Wi-Fi Profile Configuration Settings
  4. On the same page, under Enterprise Settings next to Protocols, click Trust. The page displays a list of uploaded certificates.

    Select the Juniper Mist CA certificate and enter auth.mist.com under Trusted Server Certificate Name. This step enables the client device to trust the Juniper Mist Access Assurance Server.

    Figure 8: Trust Juniper Mist CA Certificate in Wi-Fi Profile Trust Juniper Mist CA Certificate in Wi-Fi Profile
  5. Save the profile configuration.
    Figure 9: Save Wi-Fi Profile Configuration Save Wi-Fi Profile Configuration
  6. To sign the profile, you need an Apple trusted certificate. This step is required for production use.

Now you can install the profile on to your macOS device and connect to SSID through EAP-TTLS.

For iOS and iPadOS

To test EAP-TTLS on an iPhone or iPad, you can export the configured Wi-Fi profiles from your macOS device and share them via AirDrop. Once received, install these profiles on the iOS device to connect using EAP-TTLS with PAP authentication.

  1. On your iOS device, open the Settings app and tap Profile Downloaded.
    Figure 10: Locate Profile iPhone Settings screen in dark mode showing options for Start Using iCloud, Finish Setting Up Your iPhone, Profile Downloaded, Airplane Mode, Wi-Fi, Bluetooth, Mobile Service, and Battery.
  2. Tap Install in the upper-right corner of the screen.
    Figure 11: Install Profile Prompt to install unsigned profile named Corp-NET with Wi-Fi certificate. Options: Cancel, Install, Remove Downloaded Profile.

  3. Follow the on-screen instructions to complete the installation process.

  4. Enter username and password and click Join connect wireless network.

    Figure 12: Connect Wireless Network Wi-Fi login screen prompting for username and password to connect to network Corp-NET with Mode set to Automatic.

Configure Windows Device for EAP-TTLS Authentication

Use the following steps to configure a Windows device for EAP-TTLS authentication.

  1. Download the Juniper Mist Org CA certificate (as mentioned in Prerequisites) and import the Mist Org CA Certificate on to your Windows device under Manage Computer Certificates > Trusted Root Certification Authorities.
    Figure 13: Trusted Root Certificates on Windows Device Microsoft Management Console displaying the Certificates snap-in with a list of trusted root certificates, including columns for Issued To, Issued By, Expiration Date, and Intended Purposes.
  2. On your Windows device, go to Control Panel > Network and Sharing Center > Set up a new connection or network and select Manually connect to a wireless network and Click Next.
    Figure 14: Setup New Connection Network and Sharing Center in Windows showing Airtel_Home 4 as the active public network and a setup window with Manually connect to a wireless network option highlighted.
  3. In the Enter information for the wireless network you want to add, provide the following details:

    • Network name— Provide an SSID name.

    • Security type—Select the WPA2-Enterprise or WPA3-Enterprise option.

    Figure 15: Enter Information for Wireless Network Manually connecting to a wireless network in Windows Control Panel. Network name is MGMT-SSID with WPA2-Enterprise security and AES encryption. Security key field is empty. Options to start connection automatically and connect if not broadcasting are shown.

    When you click Next, a confirmation message appears stating that your SSID has been successfully added.

    Figure 16: Configure Wireless Network: Connection Settings Network and Sharing Center showing current active network Airtel_Home 4 as public. Pop-up confirms MGMT-SSID added. Options to change settings, set up new connection, or troubleshoot.

    Click Change connection settings.

  4. Go to the Security tab, and under Choose a network authentication method, select Microsoft: EAP-TTLS and click Settings.
    Figure 17: Configure Wireless Network Properties Wireless network properties dialog on the Security tab showing WPA2-Enterprise, AES encryption, and EAP-TTLS authentication settings with credentials checkbox checked. Network and Sharing Center options visible in the background.

  5. In the TTLS Properties window, perform following actions:

    • Disable the Enable Identity Privacy option.

    • For the Connect to these servers, enter auth.mist.com

    • Under Trusted Root Certification Authorities, select the Mist Org CA certificate or Root CA of your custom RADIUS server certificate.

    • For Select a non-EAP method for authentication, select Unencrypted password (PAP)

      .
    Figure 18: Configure Wireless Network: TTLS Properties Network and Sharing Center showing Airtel_Home 4 as a public network and TTLS Properties dialog with anonymous identity, auth.mist.com server, trusted root authorities, and PAP authentication.

    Click OK.

  6. Back in the Security tab, click Advanced settings.

    • Check Specify authentication mode and select User Authentication option.
    • Click OK, then Close to complete your configuration.
    Figure 19: Configure Wireless Network: Advance Settings Windows Control Panel Network and Sharing Center showing Airtel_Home 4 as a public network and options for wireless network properties configuration.

Configure Android Device for EAP-TTLS Authentication

Use the following steps to configure an Android device for EAP-TTLS authentication. Navigation steps may vary slightly depending on the device model; the example provided here is based on a Google Pixel 9.

  1. Download the Mist Org CA Cert and saved to your device's storage.
  2. Open the Settings app on your Android device and navigate to Settings > Network and Internet> Internet > Network Preferences. Click Install Certificates.
    Figure 20: Install Certificate Smartphone screen showing Network preferences menu with options for enabling Wi-Fi auto-on, public network notifications, WEP networks, installing certificates, Wi-Fi Direct, and a message about installed Wi-Fi certificate.

  3. From the internal storage upload the Mist Org CA certificate and enter the name of the certificate. If you are using a custom RADIUS server certificate, choose the Root CA corresponding to that server instead of the Mist Org CA.

    Figure 21: Enter Certificate Name Mobile device screen showing network preferences: options to turn on Wi-Fi automatically, notify for public networks, and allow WEP networks. Pop-up window for naming a certificate with Mist-Org-CA-Cert being entered, options to cancel or confirm.

  4. Once the CA certificate is downloaded and installed, click on the SSID and configure the connection as follows:

    • EAP Method: TTLS
    • Phase 2 Authentication: PAP
    • CA Certificate: Select the Org CA Certificate
    • Domain: Enter auth.mist.com.
    • Credentials: Enter the Username and Password.
      Figure 22: Configure Wireless Network Wi-Fi setup screen for Corp-NET with enterprise authentication. EAP TTLS, PAP, Mist-Org-CA-Cert, TLS v1.0, auth.mist.com, identity jack@89mistilbs.org, password hidden.

      Click Connect to complete the configuration.

Configure Linux Device for EAP-TTLS Authentication

Use the following steps to configure EAP-TTLS authentication on a Linux (Ubuntu) device:

  1. Open the network settings and click on the SSID to be connected.
    Figure 23: Wireless Network Configuration Wi-Fi authentication dialog on Linux prompting credentials for Corp-NET with WPA WPA2 Enterprise, username jack at 9mistlibs dot org, and hidden password.
  2. Under Wi-Fi Security, choose WPA & WPA2 Enterprise.
  3. For Authentication, select Tunneled TLS (EAP-TTLS).
  4. Set the Domain field to: auth.mist.com
  5. For the CA certificate, select the Mist Org CA certificate that was previously downloaded. If you are using a custom RADIUS server certificate, choose the Root CA corresponding to that server instead of the Mist Org CA.
  6. Set Inner authentication (or Phase 2 Authentication) to PAP.
  7. Enter the Username and Password provided for authentication.
  8. Click Connect to complete the configuration.

Client Connection and Verification

  1. Connect your client device to the network with the username and password.
  2. In the Juniper Mist portal, navigate to Monitor > Service Levels > Insights. Under the Client Events section, view NAC client authentication events.
    Figure 24: NAC Client Authentication Events NAC Client Authentication Events

Related Documentation