How To Setup EAP-TTLS/PAP RADIUS Authentication For Entra ID Wifi Authentication in Device

Prerequisites

  1. Registering the application in your tenant
  2. Creating Cloud Radius Instance
  3. Being a Subscription Owner or Network Administrator
  4. Being an MDM Administrator.

Introduction - How to Setup RADIUS Authentication in Device

When you are authenticating your devices to your network, it is usually seamless to the user. The user connects to the network and the device prompts the user for the appropriate credentials (Either username and password, or to choose the certificate). This is the most secure way to authenticate your devices to your network. However, there are some scenarios (such as using Entra ID passwords) where more configuration is needed in the device (We recommend doing this manually only for testing in the device and then using an MDM to deploy the settings to the devices).

How to Configure EAP-TTLS/PAP on Windows for RADIUS Authentication

As mentioned in the introductions, if you are using Entra ID passwords, you will need to configure the device to use EAP-TTLS/PAP (This is due to Entra ID not supporting MS-CHAPV2 Identity delegation). To configure EAP-TTLS/PAP on Windows, follow these steps:

  1. Go to Settings -> Network & Internet -> Wi-Fi.
  2. Click on Manage known networks. Windows 11 Wi-Fi Settings for RADIUS
  3. Click on “Add Network” on the top right. Windows 11 Add Network for RADIUS
  4. Enter the SSID of your network (Case Sensitive).
  5. Select the Security type as either WPA2-Enterprise or WPA3-Enterprise (Depending on your network settings).
  6. As the EAP Method, select “EAP-TTLS”.
  7. For the Authentication Method, select “Unencrypted password (PAP)” (Don’t worry the password is encrypted by EAP-TTLS using the server certificate).
  8. Click Save. Windows 11 EAP-TTLS/PAP Settings for RADIUS
  9. Now when you connect to the network you will be prompted for your Entra ID username and password.

How to Configure EAP-TTLS/PAP on MacOS for RADIUS Authentication with Entra ID Passwords

As mentioned in the introductions, if you are using Entra ID passwords, you will need to configure the device to use EAP-TTLS/PAP (This is due to Entra ID not supporting MS-CHAPV2 Identity delegation). To configure EAP-TTLS/PAP on MacOS, follow these steps:

  1. Download “Apple Configurator” from the App Store.
  2. In Apple Configurator, click on “File” -> “New Profile”. Apple Configurator New Profile
  3. In the General settings, enter the name of the profile.
  4. Click on “Wi-Fi” on the left.
  5. Click on “Configure”. Apple Configurator Wi-Fi Configuration
  6. Enter the SSID of your network (Case Sensitive).
  7. Select the Security type as either WPA2-Enterprise/WPA3-Enterprise.
  8. Select the EAP Method as “TTLS”.
  9. Enter your Entra ID username in the Identity field.
  10. Enter your Entra ID password in the Password field.
  11. Select “PAP” as the Inner Authentication.
  12. Click Save. How to enable EAP-TTLS/PAP Settings for RADIUS in Apple Configurator

How to Configure EAP-TTLS/PAP on Android for RADIUS Authentication with Entra ID Passwords

As mentioned in the introductions, if you are using Entra ID passwords, you will need to configure the device to use EAP-TTLS/PAP (This is due to Entra ID not supporting MS-CHAPV2 Identity delegation). To configure EAP-TTLS/PAP on Android, follow these steps:

  1. Go to Settings -> Network & Internet -> Wi-Fi.
  2. Scroll down to the bottom and click on “Add Network”. Android Add Network for RADIUS
  3. Enter the Network Name (SSID) of your network (Case Sensitive).
  4. Select the Security type as either WPA2-Enterprise or WPA3-Enterprise (Depending on your network settings).
  5. Select the EAP Method as “TTLS”.
  6. Select the Phase 2 Authentication as “PAP”.
  7. For CA Certificate, if you have installed the certificate on your device, select “Use system certificates”. If not, select “Trust on First Use”.
  8. in the Identity field, enter your Entra ID username.
  9. In the Password field, enter your Entra ID password.
  10. It should look like this: Android EAP-TTLS/PAP Settings for RADIUS
  11. Click Save at the bottom right.