How To Setup EAP-TTLS/PAP RADIUS Authentication For Entra ID Wifi Authentication in Device

Prerequisites

  1. Registering the application in your tenant
  2. Creating Cloud Radius Instance
  3. Being a Subscription Owner or Network Administrator
  4. Being an MDM Administrator.

Introduction - How to Setup RADIUS Authentication in Device

When you are authenticating your devices to your network, it is usually seamless to the user. The user connects to the network and the device prompts the user for the appropriate credentials (Either username and password, or to choose the certificate). This is the most secure way to authenticate your devices to your network. However, there are some scenarios (such as using Entra ID passwords) where more configuration is needed in the device (We recommend doing this manually only for testing in the device and then using an MDM to deploy the settings to the devices).

How to Configure EAP-TTLS/PAP on Windows for RADIUS Authentication

As mentioned in the introductions, if you are using Entra ID passwords, you will need to configure the device to use EAP-TTLS/PAP (This is due to Entra ID not supporting MS-CHAPV2 Identity delegation). To configure EAP-TTLS/PAP on Windows, follow these steps:

  1. Go to Settings -> Network & Internet -> Wi-Fi.
  2. Click on Manage known networks. Windows 11 Wi-Fi Settings for RADIUS
  3. Click on “Add Network” on the top right. Windows 11 Add Network for RADIUS
  4. Enter the SSID of your network (Case Sensitive).
  5. Select the Security type as either WPA2-Enterprise or WPA3-Enterprise (Depending on your network settings).
  6. As the EAP Method, select “EAP-TTLS”.
  7. For the Authentication Method, select “Unencrypted password (PAP)” (Don’t worry the password is encrypted by EAP-TTLS using the server certificate).
  8. Click Save. Windows 11 EAP-TTLS/PAP Settings for RADIUS
  9. Now when you connect to the network you will be prompted for your Entra ID username and password.

How to Configure EAP-TTLS/PAP on MacOS for RADIUS Authentication with Entra ID Passwords

As mentioned in the introductions, if you are using Entra ID passwords, you will need to configure the device to use EAP-TTLS/PAP (This is due to Entra ID not supporting MS-CHAPV2 Identity delegation). To configure EAP-TTLS/PAP on MacOS, follow these steps:

  1. In the top bar, click on the Wi-Fi icon.
  2. Click on “Join Other Network”.
  3. In the Network Name, enter the SSID of your network (Case Sensitive).
  4. Select the Security type as either WPA2-Enterprise or WPA3-Enterprise (Depending on your network settings).
  5. Under Enterprise Settings, select “Protocols”, and then select “TTLS”.
  6. In the “Inner Authentication” dropdown select “PAP”.
  7. Click “Create”.

How to Configure EAP-TTLS/PAP on Android for RADIUS Authentication with Entra ID Passwords

As mentioned in the introductions, if you are using Entra ID passwords, you will need to configure the device to use EAP-TTLS/PAP (This is due to Entra ID not supporting MS-CHAPV2 Identity delegation). To configure EAP-TTLS/PAP on Android, follow these steps:

  1. Go to Settings -> Network & Internet -> Wi-Fi.
  2. Scroll down to the bottom and click on “Add Network”. Android Add Network for RADIUS
  3. Enter the Network Name (SSID) of your network (Case Sensitive).
  4. Select the Security type as either WPA2-Enterprise or WPA3-Enterprise (Depending on your network settings).
  5. Select the EAP Method as “TTLS”.
  6. Select the Phase 2 Authentication as “PAP”.
  7. For CA Certificate, if you have installed the certificate on your device, select “Use system certificates”. If not, select “Trust on First Use”.
  8. in the Identity field, enter your Entra ID username.
  9. In the Password field, enter your Entra ID password.
  10. It should look like this: Android EAP-TTLS/PAP Settings for RADIUS
  11. Click Save at the bottom right.